CVE-2025-6801 Overview
CVE-2025-6801 is a directory traversal vulnerability in Marvell QConvergeConsole that allows remote, unauthenticated attackers to write arbitrary files on affected installations. The flaw resides in the saveNICParamsToFile method, which fails to validate user-supplied path input before performing file operations. Attackers can leverage the issue to drop or overwrite files with SYSTEM privileges on Windows hosts. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-24921 and tracked in advisory ZDI-25-460. It is classified under [CWE-22] Improper Limitation of a Pathname to a Restricted Directory.
Critical Impact
Unauthenticated remote attackers can write arbitrary files as SYSTEM, enabling code execution, persistence, and full host compromise.
Affected Products
- Marvell QConvergeConsole (all versions prior to vendor fix)
- Deployments exposing the QConvergeConsole management service over the network
- Windows hosts running QConvergeConsole with SYSTEM-level service privileges
Discovery Timeline
- 2025-07-07 - CVE-2025-6801 published to the National Vulnerability Database
- 2025-07-14 - Last updated in NVD database
- ZDI-CAN-24921 / ZDI-25-460 - Reported and coordinated through the Zero Day Initiative
Technical Details for CVE-2025-6801
Vulnerability Analysis
The vulnerability is a directory traversal flaw enabling arbitrary file write. The saveNICParamsToFile method in QConvergeConsole accepts a destination path from the network-facing request and writes NIC parameter data to that location. Because the method does not canonicalize or restrict the supplied path, attackers can include traversal sequences such as ..\ to escape the intended directory. The QConvergeConsole service typically runs as SYSTEM, so any file the attacker writes is created with the highest privilege level on Windows. No authentication is required, making the exposure of the management interface to untrusted networks particularly hazardous.
Root Cause
The root cause is missing input validation on a user-supplied file path before invocation of the file write routine. The application trusts the request-provided destination, omitting checks for absolute paths, traversal characters, or allowlisted target directories. This is a textbook [CWE-22] Path Traversal weakness combined with unrestricted file creation.
Attack Vector
The attack vector is network-based. An attacker reachable to the QConvergeConsole listener sends a crafted request to the saveNICParamsToFile endpoint specifying a traversed target path. The service writes attacker-controlled content to the chosen location. Common exploitation chains include dropping a payload into a Windows service path, a startup directory, or a script auto-loaded by a privileged process, yielding code execution as SYSTEM. Refer to the Zero Day Initiative Advisory ZDI-25-460 for additional technical context.
Detection Methods for CVE-2025-6801
Indicators of Compromise
- Unexpected files created in privileged directories such as C:\Windows\System32, service binary paths, or Startup folders, with the QConvergeConsole service account as the file owner
- Inbound requests to the QConvergeConsole management endpoint containing path traversal sequences (..\, ..%2f, or absolute drive paths) targeting the saveNICParamsToFile method
- New or modified scheduled tasks, services, or autorun entries created shortly after QConvergeConsole network activity
Detection Strategies
- Inspect QConvergeConsole application and web logs for requests invoking saveNICParamsToFile with suspicious path or filename parameters
- Deploy file integrity monitoring on Windows system and startup directories to flag writes originating from the QConvergeConsole process
- Apply network IDS signatures that detect path traversal patterns in HTTP traffic to QConvergeConsole listeners
Monitoring Recommendations
- Alert on child process creation by the QConvergeConsole service, which should rarely spawn interpreters or shells
- Monitor outbound connections from hosts running QConvergeConsole to detect post-exploitation command-and-control traffic
- Track changes to NIC configuration export paths and validate that writes remain within the expected configuration directory
How to Mitigate CVE-2025-6801
Immediate Actions Required
- Restrict network access to QConvergeConsole management interfaces using host firewalls or network segmentation, limiting reachability to trusted administrative hosts only
- Inventory all systems running Marvell QConvergeConsole and prioritize patching of internet-exposed or DMZ-resident installations
- Audit Windows hosts running QConvergeConsole for unexpected files in privileged paths and remove unauthorized artifacts
Patch Information
Marvell has been notified through the Zero Day Initiative coordinated disclosure process. Administrators should consult Marvell vendor channels for the fixed QConvergeConsole release and apply the update on all affected hosts. Until a patched build is deployed, treat the management service as untrusted and isolate it from non-administrative networks. Reference the Zero Day Initiative Advisory ZDI-25-460 for advisory updates.
Workarounds
- Block TCP access to the QConvergeConsole listener from all untrusted networks at the perimeter and host firewall
- Stop or disable the QConvergeConsole service on systems where it is not actively required for NIC management
- Run the QConvergeConsole service under a lower-privileged account where supported, to limit the impact of arbitrary file writes
# Windows firewall example: restrict QConvergeConsole to a management subnet
New-NetFirewallRule -DisplayName "Block QConvergeConsole External" `
-Direction Inbound -Program "C:\Program Files\QLogic Corporation\QConvergeConsole\*" `
-Action Block -Profile Any
New-NetFirewallRule -DisplayName "Allow QConvergeConsole Mgmt Subnet" `
-Direction Inbound -Program "C:\Program Files\QLogic Corporation\QConvergeConsole\*" `
-RemoteAddress 10.10.20.0/24 -Action Allow -Profile Any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

