CVE-2025-6795 Overview
CVE-2025-6795 is a directory traversal vulnerability in Marvell QConvergeConsole that allows unauthenticated remote attackers to disclose sensitive information from affected installations. The flaw resides in the getFileUploadSize method, which fails to properly validate user-supplied paths before performing file operations. An attacker can read arbitrary files in the context of the SYSTEM account over the network. The vulnerability is tracked under Zero Day Initiative advisory ZDI-25-455 and was originally identified as ZDI-CAN-24914. It is classified under [CWE-22] Improper Limitation of a Pathname to a Restricted Directory.
Critical Impact
Unauthenticated remote attackers can read arbitrary files from the host with SYSTEM-level access, exposing credentials, configuration data, and other sensitive system files.
Affected Products
- Marvell QConvergeConsole
- CPE: cpe:2.3:a:marvell:qconvergeconsole:*:*:*:*:*:*:*:*
- Component: marvell:qconvergeconsole
Discovery Timeline
- 2025-07-07 - CVE-2025-6795 published to NVD
- 2025-07-14 - Last updated in NVD database
Technical Details for CVE-2025-6795
Vulnerability Analysis
The vulnerability exists within the getFileUploadSize method exposed by QConvergeConsole. The method accepts a file path argument from a remote caller and performs a file size lookup operation against the supplied path. Because the implementation does not canonicalize or restrict the input path, an attacker can supply traversal sequences such as ..\ or absolute paths to reference files outside the intended directory.
The service hosting getFileUploadSize runs with SYSTEM privileges on Windows installations. Successful exploitation therefore enables disclosure of any file readable by SYSTEM, including configuration files, credential stores, registry hive backups, and application logs. Authentication is not required, which means the attack surface is exposed to any network-reachable client.
For full technical analysis, see the Zero Day Initiative Advisory ZDI-25-455.
Root Cause
The root cause is missing input validation on a user-supplied pathname before it reaches a file system API call. The implementation does not enforce a base directory, reject traversal characters, or validate the resolved path against an allowlist. This pattern matches [CWE-22] Path Traversal.
Attack Vector
The attack vector is network-based and does not require authentication or user interaction. An attacker reaches the QConvergeConsole management service over the network and invokes the getFileUploadSize method with a crafted path argument. The response leaks information about the targeted file, enabling reconnaissance and disclosure of sensitive data. The EPSS score is 2.228% (84.698 percentile), indicating elevated exploitation likelihood relative to the broader CVE population.
No public proof-of-concept code is currently available. The vulnerability mechanism is described in the ZDI advisory referenced above.
Detection Methods for CVE-2025-6795
Indicators of Compromise
- Inbound network requests to the QConvergeConsole management port containing traversal sequences such as ..\, ..%2f, or absolute path references like C:\Windows\ in getFileUploadSize parameters.
- Unexpected file access events by the QConvergeConsole service process targeting paths outside its installation directory.
- Anomalous outbound responses from QConvergeConsole containing file metadata for sensitive system paths.
Detection Strategies
- Inspect HTTP and RPC traffic to QConvergeConsole endpoints for path parameters containing traversal patterns and alert on matches.
- Correlate process file-access telemetry with the QConvergeConsole service identity to detect reads of files outside expected directories.
- Monitor for repeated getFileUploadSize invocations from a single source, which suggests enumeration activity.
Monitoring Recommendations
- Enable verbose logging on the QConvergeConsole service and forward logs to a centralized SIEM for retention and analysis.
- Baseline normal management traffic patterns and alert on deviations such as off-hours access or new source addresses.
- Track Windows Security and Sysmon events (Event ID 4663) for file access by the QConvergeConsole service account.
How to Mitigate CVE-2025-6795
Immediate Actions Required
- Restrict network access to QConvergeConsole management interfaces using firewall rules and limit reachability to trusted administrative subnets.
- Inventory all hosts running Marvell QConvergeConsole and prioritize patching internet-exposed and management-network-exposed instances.
- Review file access logs for evidence of prior exploitation targeting sensitive paths.
Patch Information
No vendor advisory URL is listed in the available data at time of publication. Administrators should consult Marvell directly for fixed versions and reference the Zero Day Initiative Advisory ZDI-25-455 for technical details and any updated remediation guidance.
Workarounds
- Place QConvergeConsole behind a VPN or jump host so the management service is not reachable from untrusted networks.
- Apply host-based firewall rules to block inbound connections to QConvergeConsole listening ports from non-administrative sources.
- Run the QConvergeConsole service under a least-privilege account where supported, reducing the impact of arbitrary file reads.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
