Performave Convoy

A critical security vulnerability, identified as CVE-2025-52562, has been discovered in Performave Convoy's LocaleController. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected servers, leading to complete server control and access to sensitive files. The vulnerability affects all versions from 3.9.0-rc.3 through 4.4.0 of the ConvoyPanel/panel package. Users are advised to upgrade to version 4.4.1 immediately to mitigate risks.

Source: https://cybersecuritynews.com/critical-convoy-vulnerability/

TPRM report: https://scoringcyber.rankiteo.com/company/convoy-technologies

"id": "con603062425",
"linkid": "convoy-technologies",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'industry': 'Technology',
                        'name': 'Performave Convoy',
                        'type': 'Software'}],
 'attack_vector': 'Network',
 'data_breach': {'file_types_exposed': ['.env'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['database credentials',
                                              'API keys',
                                              '.env files']},
 'description': 'A critical security vulnerability (CVE-2025-52562) in '
                "Performave Convoy's LocaleController allows unauthenticated "
                'remote attackers to execute arbitrary code on affected '
                'servers. The vulnerability affects versions 3.9.0-rc.3 '
                'through 4.4.0 of the ConvoyPanel/panel package and has been '
                'patched in version 4.4.1. Users are strongly advised to '
                'upgrade immediately.',
 'impact': {'data_compromised': ['database credentials',
                                 'API keys',
                                 '.env files'],
            'systems_affected': 'Performave Convoy installations running '
                                'versions 3.9.0-rc.3 through 4.4.0'},
 'initial_access_broker': {'entry_point': 'LocaleController component'},
 'lessons_learned': 'Immediate upgrading to patched versions is crucial for '
                    'mitigating critical vulnerabilities. Temporary '
                    'mitigations such as WAF rules can be used but should not '
                    'replace the need for patching.',
 'post_incident_analysis': {'corrective_actions': 'Patch to version 4.4.1',
                            'root_causes': 'Directory traversal vulnerability '
                                           'in LocaleController'},
 'recommendations': 'Users must upgrade to version 4.4.1 or later immediately. '
                    'Temporary WAF rules can be used as a stop-gap measure but '
                    'should not be relied upon as a permanent solution.',
 'response': {'containment_measures': ['Temporary WAF rules'],
              'remediation_measures': ['Upgrade to version 4.4.1']},
 'title': 'Critical Vulnerability in Performave Convoy Allows Remote Code '
          'Execution',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2025-52562'}