CVE-2025-6804 Overview
CVE-2025-6804 is a directory traversal vulnerability in Marvell QConvergeConsole that allows unauthenticated remote attackers to disclose sensitive information from affected installations. The flaw resides in the compressFirmwareDumpFiles method, which fails to properly validate user-supplied paths before using them in file operations. Successful exploitation grants attackers read access to files in the context of the SYSTEM account on Windows hosts. The vulnerability is tracked as ZDI-CAN-24924 and was disclosed through the Zero Day Initiative. It is classified under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory). The EPSS data places this vulnerability in the 95th percentile, indicating elevated likelihood of exploitation activity.
Critical Impact
Unauthenticated remote attackers can read arbitrary files with SYSTEM-level privileges over the network, exposing credentials, configuration data, and other sensitive information.
Affected Products
- Marvell QConvergeConsole (all versions prior to the vendor fix)
- Deployments on Windows hosts where the service runs as SYSTEM
- Storage and network management environments using QLogic QConvergeConsole agents
Discovery Timeline
- 2025-07-07 - CVE-2025-6804 published to NVD
- 2025-07-14 - Last updated in NVD database
Technical Details for CVE-2025-6804
Vulnerability Analysis
Marvell QConvergeConsole is a management interface used to configure and monitor QLogic adapters across storage and network infrastructure. The vulnerability stems from the compressFirmwareDumpFiles method, which accepts a user-controlled path parameter without sanitization. An attacker can supply traversal sequences such as ../ to escape the intended firmware dump directory. The method then operates on arbitrary files outside the expected scope. Because QConvergeConsole runs as SYSTEM, an attacker can access files normally restricted to privileged accounts. The flaw does not require authentication, and the attack vector is network-based, which broadens the exposure window for internet-reachable or lateral-movement targets.
Root Cause
The root cause is missing input validation on a path parameter passed to compressFirmwareDumpFiles. The method neither canonicalizes the supplied path nor restricts it to the intended firmware dump directory. This omission maps directly to [CWE-22] directory traversal. Without normalization, traversal characters reach the underlying file API and read content from unintended locations.
Attack Vector
An attacker sends a crafted request to the QConvergeConsole service over the network, supplying a relative path containing traversal sequences. The service resolves the path against the firmware dump location, follows the traversal, and processes the targeted file into the compression operation. The attacker then retrieves the compressed output to disclose its contents. No credentials, user interaction, or local access are required. See the Zero Day Initiative Advisory ZDI-25-453 for additional technical context.
Detection Methods for CVE-2025-6804
Indicators of Compromise
- Inbound HTTP or service requests to QConvergeConsole containing ../, ..\, or URL-encoded traversal sequences (%2e%2e%2f)
- Unexpected access patterns on the firmware dump directory or adjacent system paths
- Compressed firmware dump output files appearing with content sourced from outside the intended directory
- Service logs showing requests to compressFirmwareDumpFiles from untrusted source addresses
Detection Strategies
- Inspect web application firewall and proxy logs for path traversal patterns directed at the QConvergeConsole listener port
- Hunt for SYSTEM-context file reads originating from the QConvergeConsole process targeting paths outside its install directory
- Correlate file system access telemetry with inbound network sessions to the management service
Monitoring Recommendations
- Enable verbose access logging on the QConvergeConsole service and forward logs to a centralized SIEM
- Alert on any anonymous or unauthenticated invocation of firmware dump functionality
- Monitor egress traffic from management hosts for large or unusual data transfers following inbound management requests
How to Mitigate CVE-2025-6804
Immediate Actions Required
- Restrict network access to the QConvergeConsole management interface using host firewalls or network segmentation, limiting it to trusted administrative subnets
- Identify all systems running QConvergeConsole and inventory their exposure to untrusted networks
- Disable the QConvergeConsole service on hosts where it is not actively required
- Apply the latest Marvell-provided update for QConvergeConsole once available
Patch Information
Marvell has been notified through the Zero Day Initiative coordinated disclosure process. Administrators should consult the Zero Day Initiative Advisory ZDI-25-453 and the vendor support portal for the latest fixed version and update instructions. Apply patches across all affected hosts and verify the service binary version after deployment.
Workarounds
- Block external access to the QConvergeConsole TCP listener at the perimeter and host firewall
- Run the QConvergeConsole service only on isolated management networks with strict access control lists
- Where feasible, stop the service when not in use for active firmware management tasks
# Example Windows firewall rule restricting QConvergeConsole access to an admin subnet
netsh advfirewall firewall add rule name="Restrict QConvergeConsole" ^
dir=in action=block protocol=TCP localport=8080 ^
remoteip=any
netsh advfirewall firewall add rule name="Allow QConvergeConsole Admins" ^
dir=in action=allow protocol=TCP localport=8080 ^
remoteip=10.0.0.0/24
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
