DIVD-2025-00032 - Unauthenticated Arbitrary Remote Code Execution in Pterodactyl

Summary

The Pterodactyl Panel software contains a critical Remote Code Execution (RCE) vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. Successful exploitation can result in full system compromise, including access to credentials, sensitive data, and hosted servers.

Active exploitation attempts of this vulnerability have been observed shortly after its disclosure. While no confirmed breaches have been reported at this time, it is only a matter of time before unpatched systems are targeted successfully.

The issue has been resolved in version 1.11.11 of the Pterodactyl Panel. It is strongly recommended to update to the latest version as soon as possible.

What you can do

It is strongly advised that all impacted organisations immediately update their Pterodactyl Panel installations to the latest available version (v1.11.11) as described in the following Advisory.

Installing version v1.11.11 fully resolves the critical vulnerability identified as CVE-2025-49132, which allows unauthenticated remote code execution (RCE) on the server hosting the Panel.

If updating to the latest version is not immediately feasible, a temporary workaround is possible. Organisations can mitigate the threat by implementing protective measures at the network or application layer, for more information see the Advisory.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of Pterodactyl and to notify these parties.

Timeline

More information

• Pterodactyl advisory
• latest release
• WIZ blog
• NIST CVE-2025-49132