A important safety vulnerability has been found in Performave Convoy that permits unauthenticated distant attackers to execute arbitrary code on affected servers.
The vulnerability, recognized as CVE-2025-52562, impacts all variations from 3.9.0-rc.3 by way of 4.4.0 of the ConvoyPanel/panel bundle.
Safety researcher AnushK-Fro reported the vulnerability 5 days in the past, receiving a important severity score with an ideal CVSS rating of 10.0/10, indicating the best potential menace stage.
The vulnerability has been patched in model 4.4.1, and all customers are strongly suggested to improve instantly.
Abstract
1. A listing traversal vulnerability (CVE-2025-52562) in Performave Convoy’s LocaleController permits unauthenticated attackers to execute arbitrary code on servers.
2. All Convoy installations from model 3.9.0-rc.3 by way of 4.4.0 are affected, making this a big safety concern for the whole person base.
3. Profitable exploitation grants attackers full server management, entry to delicate recordsdata like database credentials and API keys, and potential for lateral community motion.
4. Customers should improve to model 4.4.1 or later instantly, with momentary WAF guidelines as the one various mitigation for these unable to patch immediately.
Listing Traversal Permits Distant Code Execution
The vulnerability exists within the LocaleController part of Performave Convoy, labeled as a listing traversal subject (CWE-22) that may result in distant code execution (CWE-98).
Attackers can exploit this vulnerability by sending specifically crafted HTTP requests containing malicious values within the locale and namespace parameters.
The technical exploitation entails manipulating these parameters to traverse directories exterior the supposed scope:
This permits attackers to incorporate and execute arbitrary PHP recordsdata on the server, successfully bypassing authentication mechanisms and gaining full management over the applying’s execution atmosphere.
The listing traversal approach allows attackers to reference recordsdata exterior the supposed listing construction utilizing path sequences like ../../../ to entry delicate system recordsdata.
Threat FactorsDetailsAffected ProductsConvoyPanel/panel (Performave Convoy)Variations: 3.9.0-rc.3 by way of 4.4.0ImpactRemote Code Execution (RCE)Exploit Conditions– Community entry to weak server- No authentication required- No person interplay needed- Low assault complexity- Crafted HTTP request with malicious locale/namespace parametersCVSS 3.1 Score10.0 (Important)
Affected Methods
The vulnerability impacts all Performave Convoy installations operating variations 3.9.0-rc.3 by way of 4.4.0.
The impression is especially extreme because it requires no authentication or person interplay, has low assault complexity, and might be executed remotely over a community.
Profitable exploitation results in a number of important safety breaches:
Full distant code execution (RCE) on the applying server
Entry to delicate configuration recordsdata together with .env recordsdata
Publicity of database credentials and API keys
Potential lateral motion inside inner networks
The CVSS base metrics underscore the severity: Community assault vector, Low complexity, No privileges required, No person interplay, Modified scope, and Excessive impression throughout confidentiality, integrity, and availability (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Mitigations
ConvoyPanel has launched model 4.4.1 to handle this vulnerability. Fast upgrading is the one official and really helpful answer.
For organizations that can’t improve instantly, momentary mitigation by way of Internet Utility Firewall (WAF) guidelines is suggested.
WAF guidelines ought to implement strict validation on the weak parameters:
The locale parameter should precisely match “en_US en”
The namespace parameter should not comprise .. sequences or URL-encoded variants
Solely permit alphanumeric characters, underscores, intervals, and areas within the namespace
Restrict namespace parameter size to between 1 and 191 characters
Safety specialists emphasize that these mitigations ought to be thought-about momentary measures solely, with full patching remaining the definitive answer to this important safety vulnerability.
Are you from SOC/DFIR Groups! – Work together with malware within the sandbox and discover associated IOCs. – Request 14-day free trial
