CVE-2025-52562
Published: 23 June 2025
Summary
CVE-2025-52562 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Convoy is a KVM server management panel for hosting providers, and versions 3.9.0-rc3 through 4.4.0 contain a directory traversal vulnerability in the LocaleController component. The flaw, tracked as CVE-2025-52562 and assigned CWE-22 and CWE-98, permits an unauthenticated remote attacker to supply crafted locale and namespace parameters in an HTTP request that results in the inclusion and execution of arbitrary PHP files on the server. The issue carries a CVSS 3.1 score of 10.0, reflecting network-accessible exploitation with no required credentials or user interaction and full confidentiality, integrity, and availability impact under a changed scope.
An attacker can send a single malicious request to the affected endpoints and achieve arbitrary code execution on the underlying server, potentially leading to full compromise of the management panel and any hosted virtual machines. Because the vulnerability is unauthenticated, exploitation can originate from any internet-reachable system without prior access or authentication.
The vulnerability was addressed in version 4.4.1, as noted in the project’s GitHub security advisory GHSA-43g3-qpwq-hfgg and the associated commit that hardened the LocaleController parameter handling. A temporary workaround recommended in the advisory is the deployment of strict Web Application Firewall rules that block or sanitize incoming requests targeting the vulnerable endpoints.
The EPSS score remains flat at 0.0378 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-18951
Vulnerability details
Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a…
more
specially crafted HTTP request with malicious locale and namespace parameters. This allows the attacker to include and execute arbitrary PHP files on the server. This issue has been patched in version 4.4.1. A temporary workaround involves implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.