- Description
- Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious locale and namespace parameters. This allows the attacker to include and execute arbitrary PHP files on the server. This issue has been patched in version 4.4.1. A temporary workaround involves implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 10
- Impact score
- 6
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-22
- Hype score
- Not currently trending
A critical vulnerability (CVE-2025-52562) in Performave Convoy—a KVM server management panel widely used by hosting providers—enables unauthenticated attackers to execute arbitrary code on affected systems. #cybersecurity https://t.co/Su1flvzlXa
@cybertzar
25 Jun 2025
53 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️⚠️ CVE-2025-52562(CVSS 10.0)Unauthenticated remote attackers can exploit this vulnerability by sending specially crafted HTTP requests with malicious locale and namespace parameters. 🎯416+ Results are found on the https://t.co/pb16tGYaKe nearly year. 🔗FOFA htt
@fofabot
25 Jun 2025
1402 Impressions
3 Retweets
24 Likes
8 Bookmarks
0 Replies
0 Quotes
ホスティング業界で広く使用されるKVM管理パネル「Performave Convoy」に深刻な脆弱性(CVE-2025-52562)が発見された。認証不要でのリモートコード実行(RCE)が可能となる。
@yousukezan
24 Jun 2025
585 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
A critical directory traversal vulnerability (CVE-2025-52562) in Performave Convoy allows unauthenticated attackers to execute arbitrary code, affecting all installations from versions 3.9.0-rc.3 to 4.4.0. With a perfect CVSS score of 10.0/10, the risk is immense, prompting im...
@CybrPulse
24 Jun 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
CVE-2025-52562: A new RCE flaw in Performave Convoy (CVSS 10.0) lets attackers take full server control — no login required. Paxion Cyber offers: 🔐 Patch audits 🛡️ WAF protection 🚨 RCE mitigation Patch NOW or call us to help. #CyberSecurity #RCE #ZeroDay #CVSS10 #I
@PaxionCyber
24 Jun 2025
66 Impressions
3 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-52562: CRITICAL] Security advisory: In Performave Convoy versions 3.9.0-rc3 to < 4.4.1, a directory traversal vulnerability exists in LocaleController. Update to 4.4.1 or apply strict WAF rules as ...#cve,CVE-2025-52562,#cybersecurity https://t.co/Moikc0HZXy https://
@CveFindCom
23 Jun 2025
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-52562 Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleContr… https://t.co/1L4dhY0HV6
@CVEnew
23 Jun 2025
490 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes