Remote Code Execution Vulnerability in Pterodactyl Game Server Management Panel
CVE-2025-49132

10CRITICAL

Key Information:

Vendor

Pterodactyl

Status
Panel
Vendor
CVE Published:
20 June 2025

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 33%

What is CVE-2025-49132?

Pterodactyl, a widely used free and open-source game server management panel, has a significant vulnerability that allows unauthorized remote code execution. This occurs through the /locales/locale.json endpoint when specific query parameters are manipulated. Attackers exploiting this flaw can execute arbitrary commands, gaining access to sensitive server data, including configuration files and database information. A patch has been issued in version 1.11.11, and while there are no direct software workarounds, implementing a Web Application Firewall (WAF) is advisable to mitigate potential attacks.

Affected Version(s)

panel < 1.11.11

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-49132
Created by Zen-kun04

CVE-2025-49132_poc
Created by qiaojojo

CVE-2025-49132
Created by 63square

References

https://github.com/pterodactyl/panel/security/advisories/...
x_refsource_CONFIRM
https://github.com/pterodactyl/panel/commit/24c82b0e335fb...
x_refsource_MISC
https://github.com/pterodactyl/panel/releases/tag/v1.11.11
x_refsource_MISC

EPSS Score

33% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-49132 : Remote Code Execution Vulnerability in Pterodactyl Game Server Management Panel