CVE-2025-6800 Overview
CVE-2025-6800 is a directory traversal vulnerability in Marvell QConvergeConsole that allows unauthenticated remote attackers to disclose sensitive information from affected installations. The flaw resides in the restoreESwitchConfig method, which fails to properly validate user-supplied paths before performing file operations. Attackers can leverage this issue to read arbitrary files in the context of the SYSTEM account. The vulnerability is tracked under Zero Day Initiative advisory ZDI-25-459 (formerly ZDI-CAN-24920) and is classified under [CWE-22] Improper Limitation of a Pathname to a Restricted Directory.
Critical Impact
Remote unauthenticated attackers can read arbitrary files with SYSTEM-level privileges on systems running vulnerable QConvergeConsole installations.
Affected Products
- Marvell QConvergeConsole (all versions prior to the vendor-released fix)
- Deployments using the restoreESwitchConfig management functionality
- Windows hosts running QConvergeConsole services with SYSTEM privileges
Discovery Timeline
- 2025-07-07 - CVE-2025-6800 published to NVD
- 2025-07-14 - Last updated in NVD database
- ZDI-CAN-24920 / ZDI-25-459 - Coordinated disclosure tracked by Zero Day Initiative
Technical Details for CVE-2025-6800
Vulnerability Analysis
The vulnerability stems from improper input validation in the restoreESwitchConfig method exposed by Marvell QConvergeConsole. The method accepts a file path parameter from the requesting client and uses it directly in file operations without canonicalization or directory containment checks. Because the service runs with SYSTEM privileges on Windows, an attacker can traverse outside the intended configuration directory and access protected files anywhere on the host. Authentication is not required, which exposes the management interface to any network-reachable attacker. The Zero Day Initiative tracks this issue as ZDI-25-459. Public exploitation has not been confirmed, but the EPSS data places this vulnerability in a high percentile relative to other CVEs, indicating elevated exploitation likelihood.
Root Cause
The root cause is the absence of path canonicalization and allow-list validation in the restoreESwitchConfig handler. The method trusts client-supplied path input and resolves it relative to a working directory without rejecting .. sequences or absolute paths. This pattern matches the [CWE-22] directory traversal weakness class.
Attack Vector
An attacker sends a crafted request to the QConvergeConsole management service over the network. The request invokes restoreESwitchConfig with a path containing traversal sequences (for example, ..\..\..\Windows\System32\config\SAM style payloads) that resolve outside the expected directory. The service opens the targeted file using SYSTEM privileges and returns its contents to the attacker, enabling disclosure of credentials, configuration data, and operating system artifacts.
No verified proof-of-concept code has been published. See the Zero Day Initiative Advisory ZDI-25-459 for additional technical context.
Detection Methods for CVE-2025-6800
Indicators of Compromise
- Inbound network requests to QConvergeConsole listening ports containing ..\ or ../ traversal sequences in path parameters
- Invocations of the restoreESwitchConfig method from unexpected source addresses or outside maintenance windows
- QConvergeConsole service process accessing files outside its installation directory, especially under C:\Windows\ or user profile paths
- Anomalous file read activity by the QConvergeConsole service account with SYSTEM privileges
Detection Strategies
- Inspect HTTP and management protocol traffic to QConvergeConsole for traversal payloads and decode encoded variants (%2e%2e%2f, ..%5c)
- Correlate file-system telemetry showing the QConvergeConsole process opening sensitive files such as SAM, SYSTEM hives, or .config files
- Apply signature or YARA rules that match the restoreESwitchConfig method name combined with path traversal patterns
- Review web server and application logs for repeated 200-status responses to requests invoking management restore endpoints
Monitoring Recommendations
- Forward QConvergeConsole application and access logs to a centralized SIEM for retention and correlation
- Alert on any unauthenticated invocation of administrative methods on the management interface
- Baseline normal file-access patterns of the QConvergeConsole service and alert on deviation
- Monitor egress traffic from management hosts for unusual data volumes that may indicate file exfiltration
How to Mitigate CVE-2025-6800
Immediate Actions Required
- Restrict network access to QConvergeConsole management interfaces to trusted administrative hosts using firewall rules or network segmentation
- Disable or block the restoreESwitchConfig endpoint at a reverse proxy until a vendor patch is deployed
- Audit hosts running QConvergeConsole and inventory exposed service ports
- Rotate credentials and review sensitive files that may have been exposed if compromise is suspected
Patch Information
At the time of NVD publication on 2025-07-07, no vendor advisory URL is referenced in the CVE record. Administrators should consult Marvell directly and monitor the Zero Day Initiative Advisory ZDI-25-459 for vendor remediation guidance and version-specific fix information.
Workarounds
- Place QConvergeConsole behind a VPN or jump host so the management service is not reachable from general corporate or internet-facing networks
- Enforce host-based firewall rules to allow only specific administrator workstations to connect to the management port
- Run the QConvergeConsole service under a lower-privileged account where supported to reduce the impact of arbitrary file reads
- Remove QConvergeConsole from systems where it is not actively required for adapter management
# Example: restrict QConvergeConsole management port to a single admin subnet (Windows netsh)
netsh advfirewall firewall add rule name="QCC-Restrict" ^
dir=in action=block protocol=TCP localport=8080
netsh advfirewall firewall add rule name="QCC-Allow-Admins" ^
dir=in action=allow protocol=TCP localport=8080 ^
remoteip=10.10.50.0/24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

