CVE-2025-6797: Marvell Qconvergeconsole Path Traversal

CVE-2025-6797 Overview

CVE-2025-6797 is a directory traversal vulnerability in Marvell QConvergeConsole that allows unauthenticated remote attackers to disclose sensitive file contents. The flaw resides in the getFileUploadBytes method, which fails to validate user-supplied paths before performing file operations. Attackers can read arbitrary files in the context of the SYSTEM account on affected installations. The issue is tracked as ZDI-CAN-24917 and classified under [CWE-22] Path Traversal.

Critical Impact

Unauthenticated remote attackers can read arbitrary files with SYSTEM privileges, exposing credentials, configuration data, and other sensitive information from affected QConvergeConsole servers.

Affected Products

• Marvell QConvergeConsole (all versions affected by ZDI-25-456)
• Deployments exposing the management interface to untrusted networks
• Storage and adapter management environments using QConvergeConsole for QLogic Fibre Channel and converged network adapters

Discovery Timeline

• 2025-07-07 - CVE-2025-6797 published to the National Vulnerability Database
• 2025-07-14 - Last updated in NVD database

Technical Details for CVE-2025-6797

Vulnerability Analysis

The vulnerability resides in the getFileUploadBytes method exposed by the QConvergeConsole management service. The method accepts a user-controlled file path parameter and reads the referenced file from disk. Because the implementation does not canonicalize or constrain the input path, attackers can supply traversal sequences such as ..\ or ../ to escape the intended directory. The service runs with SYSTEM privileges, so the returned bytes can include any file the operating system permits the service account to read.

The EPSS probability is approximately 20.23% at the 95th percentile, indicating elevated likelihood of exploitation activity compared to the broader CVE population. No public proof-of-concept is currently listed, and the issue is not present in the CISA Known Exploited Vulnerabilities catalog.

Root Cause

The root cause is missing path validation in the getFileUploadBytes handler. The method trusts a remote-supplied path string and passes it directly to file I/O routines. There is no allowlist of permitted directories, no rejection of traversal sequences, and no enforcement of a base path through canonical resolution. This pattern matches [CWE-22] Improper Limitation of a Pathname to a Restricted Directory.

Attack Vector

The attack is network-reachable and requires no authentication or user interaction. An attacker sends a crafted request to the QConvergeConsole service invoking getFileUploadBytes with a path that traverses outside the intended upload directory. The server responds with the raw bytes of the targeted file. Targets typically include Windows configuration files, application secrets, private keys, and credential stores accessible to SYSTEM.

No verified exploit code is publicly available. Refer to the Zero Day Initiative Advisory ZDI-25-456 for vendor-coordinated technical details.

Detection Methods for CVE-2025-6797

Indicators of Compromise

• HTTP or RPC requests to QConvergeConsole endpoints containing getFileUploadBytes with path parameters that include ../, ..\, or URL-encoded equivalents such as %2e%2e%2f.
• Outbound responses from the QConvergeConsole service containing contents of sensitive system files (for example win.ini, SAM, or application configuration files).
• Unexpected access patterns to the QConvergeConsole management port from external or non-administrative source addresses.

Detection Strategies

• Inspect web and application logs for requests targeting the getFileUploadBytes method and flag any path parameters containing traversal sequences or absolute paths.
• Deploy network intrusion detection signatures that match traversal payloads directed at QConvergeConsole listener ports.
• Correlate file-read telemetry on the QConvergeConsole host with the service account to identify reads outside the application's working directories.

Monitoring Recommendations

• Forward QConvergeConsole application and access logs to a centralized analytics platform and alert on traversal patterns.
• Monitor the QConvergeConsole service process for unusual file-access behavior, especially reads of operating system or credential files.
• Track connections to the QConvergeConsole management interface and alert on access from unexpected network segments.

How to Mitigate CVE-2025-6797

Immediate Actions Required

• Restrict network access to the QConvergeConsole management interface to trusted administrative networks using firewall rules or host-based ACLs.
• Audit QConvergeConsole hosts for evidence of exploitation by reviewing recent access logs for traversal patterns.
• Rotate credentials and secrets stored on affected systems if logs indicate file-disclosure attempts against the getFileUploadBytes endpoint.

Patch Information

Marvell coordinated this disclosure through the Zero Day Initiative under advisory ZDI-25-456. Administrators should consult the Zero Day Initiative Advisory ZDI-25-456 and Marvell support channels for the latest QConvergeConsole release that addresses CVE-2025-6797, then apply the update on every host running the management service.

Workarounds

• Block external access to the QConvergeConsole TCP listener at the perimeter until a patched build is deployed.
• Place the management interface behind a VPN or jump host that enforces authentication and source-address restrictions.
• Run the QConvergeConsole service with the least privileges supported by the platform to reduce the scope of files reachable through traversal.

# Configuration example: restrict QConvergeConsole management port to an admin subnet (Windows)
netsh advfirewall firewall add rule name="QConvergeConsole-Admin-Only" ^
  dir=in action=allow protocol=TCP localport=8080 ^
  remoteip=10.10.20.0/24

netsh advfirewall firewall add rule name="QConvergeConsole-Block-Other" ^
  dir=in action=block protocol=TCP localport=8080