CVE-2025-6803 Overview
CVE-2025-6803 is a directory traversal vulnerability in Marvell QConvergeConsole that allows unauthenticated remote attackers to read arbitrary files from affected installations. The flaw resides in the compressDriverFiles method, which fails to validate user-supplied paths before performing file operations. Attackers can leverage this weakness to disclose sensitive information in the context of the SYSTEM account. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-24923 and tracked publicly as ZDI-25-452. It is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Remote, unauthenticated attackers can read arbitrary files on affected QConvergeConsole hosts with SYSTEM-level access, exposing credentials, configuration data, and other sensitive content.
Affected Products
- Marvell QConvergeConsole (all versions covered by cpe:2.3:a:marvell:qconvergeconsole:*)
- Windows installations where QConvergeConsole runs as SYSTEM
- Storage and Fibre Channel management environments using the affected console
Discovery Timeline
- 2025-07-07 - CVE-2025-6803 published to NVD
- 2025-07-14 - Last updated in NVD database
Technical Details for CVE-2025-6803
Vulnerability Analysis
The vulnerability exists in the compressDriverFiles method exposed by Marvell QConvergeConsole. The method accepts a path parameter intended to reference driver files for compression and retrieval. Because the implementation does not normalize or validate this input, an attacker can supply traversal sequences such as ../ to escape the intended directory.
The QConvergeConsole service typically runs with SYSTEM privileges on Windows hosts. As a result, the attacker reads files at the highest local privilege level. Attackers can exploit the issue over the network without authentication or user interaction.
The vulnerability is limited to confidentiality impact. It does not directly allow code execution or modification of data on the target. However, disclosed contents can include credentials, tokens, and configuration that enable follow-on attacks.
Root Cause
The root cause is missing path validation in the compressDriverFiles method. The method consumes a user-supplied file path and passes it to file I/O operations without canonicalization, allow-list checks, or directory-bound enforcement. This is a classic [CWE-22] Path Traversal weakness.
Attack Vector
Exploitation occurs over the network against the management interface exposed by QConvergeConsole. An attacker sends a crafted request invoking compressDriverFiles with a traversal path pointing to a sensitive target file. The service reads the file and returns its contents within the compressed archive response.
No credentials are required. The Exploit Prediction Scoring System (EPSS) places this issue in the top tier of likely-to-be-exploited vulnerabilities, indicating elevated probability of opportunistic scanning.
No public proof-of-concept code is currently linked in the advisory. Refer to the Zero Day Initiative Advisory ZDI-25-452 for additional technical context.
Detection Methods for CVE-2025-6803
Indicators of Compromise
- HTTP or RPC requests to the QConvergeConsole management endpoint containing compressDriverFiles invocations with path parameters
- Path parameters containing traversal sequences such as ../, ..\\, %2e%2e%2f, or absolute Windows paths like C:\\Windows\\
- Outbound archive or response payloads from QConvergeConsole containing files outside the expected driver directory
- Unexpected access in audit logs to sensitive files such as SAM, SYSTEM, or application configuration files by the QConvergeConsole service account
Detection Strategies
- Inspect web and application logs on QConvergeConsole hosts for requests referencing compressDriverFiles with suspicious path arguments
- Deploy network signatures that flag traversal patterns directed at the QConvergeConsole management port
- Correlate process activity on the host with file reads originating from the QConvergeConsole service against locations outside its installation directory
Monitoring Recommendations
- Enable verbose logging on QConvergeConsole and forward events to a central SIEM for retention and correlation
- Monitor SYSTEM-level file read activity on management servers and alert on access to credential stores, registry hives, and user profile directories
- Track outbound data volumes from QConvergeConsole hosts to detect bulk extraction through repeated traversal requests
How to Mitigate CVE-2025-6803
Immediate Actions Required
- Restrict network access to the QConvergeConsole management interface so that only trusted administrative hosts can reach it
- Isolate storage management servers on a dedicated management VLAN with strict firewall policies
- Review historical logs for evidence of compressDriverFiles abuse and rotate any credentials that may have been exposed
- Apply vendor updates from Marvell as soon as fixed builds become available
Patch Information
Marvell has not published a fixed version reference in the data available at the time of writing. Administrators should consult Marvell support channels and the Zero Day Initiative Advisory ZDI-25-452 for the latest remediation guidance and patch availability.
Workarounds
- Block external access to the QConvergeConsole TCP listener at the perimeter and host firewall until a patch is deployed
- Stop or disable the QConvergeConsole service on systems where it is not actively required for storage management
- Run QConvergeConsole under a lower-privileged service account where supported to limit the scope of file disclosure
# Example: restrict access to QConvergeConsole management port on Windows
netsh advfirewall firewall add rule name="Block QConvergeConsole External" \
dir=in action=block protocol=TCP localport=8080 \
remoteip=any
netsh advfirewall firewall add rule name="Allow QConvergeConsole Mgmt" \
dir=in action=allow protocol=TCP localport=8080 \
remoteip=10.0.0.0/24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

