Critical Convoy Vulnerability Let Attackers Execute Remote Code on Affected Servers

A critical security vulnerability has been discovered in Performave Convoy that allows unauthenticated remote attackers to execute arbitrary code on affected servers. 

The vulnerability, identified as CVE-2025-52562, affects all versions from 3.9.0-rc.3 through 4.4.0 of the ConvoyPanel/panel package. 

Security researcher AnushK-Fro reported the vulnerability five days ago, receiving a critical severity rating with a perfect CVSS score of 10.0/10, indicating the highest possible threat level. 

The vulnerability has been patched in version 4.4.1, and all users are strongly advised to upgrade immediately.

Summary
1. A directory traversal vulnerability (CVE-2025-52562) in Performave Convoy's LocaleController allows unauthenticated attackers to execute arbitrary code on servers.
2. All Convoy installations from version 3.9.0-rc.3 through 4.4.0 are affected, making this a significant security concern for the entire user base.
3. Successful exploitation grants attackers complete server control, access to sensitive files like database credentials and API keys, and potential for lateral network movement.
4. Users must upgrade to version 4.4.1 or later immediately, with temporary WAF rules as the only alternative mitigation for those unable to patch instantly.

Directory Traversal Enables Remote Code Execution 

The vulnerability exists in the LocaleController component of Performave Convoy, classified as a directory traversal issue (CWE-22) that can lead to remote code execution (CWE-98). 

Attackers can exploit this vulnerability by sending specially crafted HTTP requests containing malicious values in the locale and namespace parameters.

The technical exploitation involves manipulating these parameters to traverse directories outside the intended scope:

This allows attackers to include and execute arbitrary PHP files on the server, effectively bypassing authentication mechanisms and gaining complete control over the application’s execution environment. 

The directory traversal technique enables attackers to reference files outside the intended directory structure using path sequences like ../../../ to access sensitive system files.

Affected Systems 

The vulnerability affects all Performave Convoy installations running versions 3.9.0-rc.3 through 4.4.0. 

The impact is particularly severe as it requires no authentication or user interaction, has low attack complexity, and can be executed remotely over a network.

Successful exploitation leads to multiple critical security breaches:

• Complete remote code execution (RCE) on the application server
• Access to sensitive configuration files including .env files
• Exposure of database credentials and API keys
• Potential lateral movement within internal networks

The CVSS base metrics underscore the severity: Network attack vector, Low complexity, No privileges required, No user interaction, Changed scope, and High impact across confidentiality, integrity, and availability (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Mitigations 

ConvoyPanel has released version 4.4.1 to address this vulnerability. Immediate upgrading is the only official and recommended solution. 

For organizations that cannot upgrade immediately, temporary mitigation through Web Application Firewall (WAF) rules is advised.

WAF rules should enforce strict validation on the vulnerable parameters:

• The locale parameter must exactly match “en_US en”
• The namespace parameter must not contain .. sequences or URL-encoded variants
• Only allow alphanumeric characters, underscores, periods, and spaces in the namespace
• Limit namespace parameter length to between 1 and 191 characters

Security experts emphasize that these mitigations should be considered temporary measures only, with full patching remaining the definitive solution to this critical security vulnerability.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial