CVE-2025-6797 Overview
CVE-2025-6797 is a directory traversal vulnerability in Marvell QConvergeConsole that allows unauthenticated remote attackers to disclose sensitive information from affected installations. The flaw resides in the getFileUploadBytes method, which fails to validate user-supplied path input before performing file operations. An attacker can exploit this weakness to read arbitrary files in the context of the SYSTEM account. The vulnerability was reported through Trend Micro's Zero Day Initiative as ZDI-CAN-24917 and is tracked under [CWE-22] (Path Traversal). The Exploit Prediction Scoring System (EPSS) places this issue in the 95.55th percentile, indicating a relatively high likelihood of exploitation activity.
Critical Impact
Unauthenticated remote attackers can read arbitrary files as SYSTEM on hosts running Marvell QConvergeConsole, exposing credentials, configuration data, and other sensitive content.
Affected Products
- Marvell QConvergeConsole (all versions identified by cpe:2.3:a:marvell:qconvergeconsole)
- Storage management environments deploying QConvergeConsole on Windows hosts
- Server platforms using Marvell QLogic Fibre Channel and converged network adapter management tooling
Discovery Timeline
- 2025-07-07 - CVE-2025-6797 published to NVD
- 2025-07-14 - Last updated in NVD database
Technical Details for CVE-2025-6797
Vulnerability Analysis
The vulnerability exists in the getFileUploadBytes method exposed by Marvell QConvergeConsole. The method accepts a file path parameter from the requester and passes it directly into file read operations without normalizing or constraining the path. An attacker can supply traversal sequences such as ..\ or absolute paths to step out of the intended directory and read files anywhere on the file system. Because QConvergeConsole runs with SYSTEM privileges on Windows, the disclosed content is not limited by user-level access controls. No authentication is required, so any actor with network reachability to the management service can issue the request. The exposed data can include service account credentials, registry hive backups, application configuration files, and stored secrets that enable follow-on attacks.
Root Cause
The defect is a classic path traversal weakness ([CWE-22]). The getFileUploadBytes handler trusts the supplied path argument and performs no canonicalization, allow-list checks, or directory containment validation before invoking the underlying file read API. Refer to the Zero Day Initiative Advisory ZDI-25-456 for the detailed technical breakdown.
Attack Vector
Exploitation occurs over the network against the QConvergeConsole management interface. An attacker crafts a request that invokes getFileUploadBytes with a path containing directory traversal sequences pointing at a target file such as a configuration store or credential file. The server returns the file contents in the response. No user interaction or prior authentication is required, and attack complexity is low. See the Zero Day Initiative Advisory ZDI-25-456 for protocol-level details.
Detection Methods for CVE-2025-6797
Indicators of Compromise
- HTTP or web service requests to the QConvergeConsole management endpoint containing path traversal sequences such as ..\, ../, or URL-encoded variants like %2e%2e%2f
- Invocations of the getFileUploadBytes method referencing absolute paths or files outside the application's expected upload directory
- Unexpected outbound responses from the QConvergeConsole service returning large file payloads to untrusted clients
Detection Strategies
- Inspect web application logs and reverse-proxy logs for requests targeting getFileUploadBytes with path parameters
- Apply web application firewall (WAF) signatures that flag path traversal patterns directed at the QConvergeConsole listener
- Correlate network telemetry showing unauthenticated sessions retrieving files from sensitive Windows paths such as C:\Windows\System32\config\ or C:\ProgramData\
Monitoring Recommendations
- Enable verbose access logging on the QConvergeConsole HTTP listener and forward logs to a central analytics platform
- Alert on any access to the management service from network segments that should not reach storage administration tooling
- Monitor file system audit events for reads of credential stores or registry hive files performed by the QConvergeConsole service account
How to Mitigate CVE-2025-6797
Immediate Actions Required
- Restrict network access to the QConvergeConsole management interface using firewall rules or host-based access control lists
- Apply the vendor-supplied patch as soon as Marvell publishes a fixed release for affected QConvergeConsole versions
- Audit recent QConvergeConsole access logs for evidence of getFileUploadBytes calls with suspicious path parameters and rotate any credentials that may have been exposed
Patch Information
No vendor advisory URL is published in the NVD record at this time. Administrators should consult Marvell support channels and the Zero Day Initiative Advisory ZDI-25-456 for fixed version information and apply updates as soon as they are available.
Workarounds
- Place the QConvergeConsole service behind a management VLAN or VPN so the listener is unreachable from general-purpose networks
- Disable or stop the QConvergeConsole service on hosts where it is not actively required for storage administration
- Deploy a reverse proxy or WAF in front of the management interface to block requests containing path traversal sequences or absolute file paths
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
