CRITICAL🇵🇱 Wersja polska

CVE-2025-52562

CVSS 10.0v3.1pub. 2025-06-23upd. 2026-04-15

Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious locale and namespace parameters. This allows the attacker to include and execute arbitrary PHP files on the server. This issue has been patched in version 4.4.1. A temporary workaround involves implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints.

🤖 AI Analysis
How it works

The vulnerability (CWE-22/CWE-98) consists of the lack of proper validation of the locale and namespace parameters in HTTP requests directed to the LocaleController component. An attacker sends a specially crafted HTTP request containing path traversal sequences in these parameters, which allows specifying and including any PHP file located on the server. The mechanism of including PHP files without authentication and without path restriction constitutes a Remote Code Execution (RCE) vector.

Impact

An attacker can remotely execute arbitrary PHP code on the server without any authentication, which in practice means complete server compromise — data theft, backdoor installation, and takeover of managed virtual machines.

Mitigation & patch

Convoy must be immediately updated to version 4.4.1, in which the vulnerability has been patched. As a temporary workaround until the patch is deployed, it is recommended to apply restrictive Web Application Firewall (WAF) rules blocking requests to vulnerable endpoints.

Who is affected

Convoy (KVM server management panel by Performave) in versions from 3.9.0-rc3 to before 4.4.1.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path TraversalFirewall
CWE
References