How to fix EUVD-2025-18951?

Within 24 hours: Inventory all Convoy installations and identify vulnerable versions; immediately implement WAF rules blocking suspicious locale/namespace parameters to the affected endpoints; disable remote access to Convoy if possible. Within 7 days: Upgrade to Convoy version 4.4.1 or later; conduct security audit of Convoy access logs for exploitation attempts; reset all administrative credentials. Within 30 days: Perform forensic analysis on affected systems for unauthorized access or code execution; review and strengthen network segmentation around hosting infrastructure; implement continuous vulnerability scanning.

Is PHP affected by EUVD-2025-18951?

A critical vulnerability in Convoy KVM management panels (versions 3.9.0-rc3 to 4.4.0) allows unauthenticated attackers to execute arbitrary code on affected servers through directory traversal.

EUVD-2025-18951

| CVE-2025-52562 CRITICAL

2025-06-23 [email protected]

10.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 22:10 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 22:10 euvd

EUVD-2025-18951

CVE Published

Jun 23, 2025 - 21:15 nvd

CRITICAL 10.0

Description

Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious locale and namespace parameters. This allows the attacker to include and execute arbitrary PHP files on the server. This issue has been patched in version 4.4.1. A temporary workaround involves implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints.

Analysis

A path traversal vulnerability in versions 3.9.0-rc3 to (CVSS 10.0) that allows the attacker. Critical severity with potential for significant impact on affected systems.

Technical Context

CWE-22 (Path Traversal). CVSS 10.0 indicates critical severity with likely remote exploitation vector. Affects versions 3.9.0-rc3 to.

Affected Products

['versions 3.9.0-rc3 to']

Remediation

Monitor vendor channels for patch availability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +1.9

CVSS: +50

POC: 0

EUVD-2025-18951 vulnerability details – vuln.today

Back

EUVD-2025-18951

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-18951

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code