Critical Convoy Flaw (CVE-2025-52562, CVSS 10.0): Unauthenticated Remote Code Execution on KVM Servers!
Ddos 
A newly disclosed vulnerability in Convoy, a modern KVM server management panel built for hosting providers, has received the highest possible severity ratingβCVSS 10.0βand could allow unauthenticated attackers to achieve Remote Code Execution (RCE) on affected servers.
Identified as CVE-2025-52562, the flaw resides in the LocaleController component and impacts all versions from 3.9.0-rc.3 through 4.4.0.
βAn unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious locale and namespace parameters,β the advisory explains.
The attack vector hinges on a classic yet devastating technique: directory traversal. By abusing insufficient input validation on the locale and namespace parameters, a remote attacker can craft a request that causes the server to include arbitrary PHP files.
βThis allows the attacker to include and execute arbitrary PHP files on the server,β the advisory warns.
Successful exploitation grants the attacker:
- Full RCE: Execute malicious code remotely with server-level privileges.
- Sensitive data exposure: Including .env configuration files containing database credentials, API keys, and other secrets.
The Convoy team acted quickly to patch the issue. A fix is available in version 4.4.1 and above.
For users unable to update immediately, a temporary mitigation is possible via strict Web Application Firewall (WAF) rules. The advisory offers the following guidance:
- For
localeparameter:- Only allow the exact string
"en_US en".
- Only allow the exact string
- For
namespaceparameter:- Reject any input containing
..or URL-encoded equivalents. - Accept only characters from A-Z, a-z,
_,., and space. - Enforce a length between 1 and 191 characters.
- Reject any input containing
Related Posts:
- Apache CloudStack Releases Security Update for KVM Infrastructure Vulnerability – CVE-2024-50386
- Microsoft Signals End of an Era: Control Panel to be Phased Out
- Premium Panel Phishing Toolkit Exposed: Two Years of Global Attacks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
