CVE-2025-6804 Overview
CVE-2025-6804 is a directory traversal vulnerability in Marvell QConvergeConsole that allows unauthenticated remote attackers to disclose sensitive files from affected installations. The flaw resides in the compressFirmwareDumpFiles method, which fails to validate user-supplied paths before performing file operations. An attacker can read arbitrary files in the context of SYSTEM. The issue was reported through the Trend Micro Zero Day Initiative as ZDI-CAN-24924 and disclosed publicly as ZDI-25-453. It is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Unauthenticated remote attackers can read arbitrary files at the SYSTEM privilege level, exposing credentials, configuration data, and other sensitive assets on the host.
Affected Products
- Marvell QConvergeConsole (management application for Marvell QLogic adapters)
- Windows installations exposing the QConvergeConsole web service
- Server hosts running vulnerable versions identified in ZDI-25-453
Discovery Timeline
- 2025-07-07 - CVE-2025-6804 published to NVD
- 2025-07-14 - Last updated in NVD database
Technical Details for CVE-2025-6804
Vulnerability Analysis
QConvergeConsole exposes a network-accessible management interface used to operate Marvell QLogic Fibre Channel and converged network adapters. The vulnerable compressFirmwareDumpFiles method accepts a path parameter that is intended to identify firmware dump artifacts for compression. The implementation passes that path directly into file operations without canonicalization or allow-listing.
An attacker who supplies traversal sequences such as ..\..\ can redirect the routine outside the intended dump directory. Because the service runs with SYSTEM privileges on Windows, the file read primitive extends across the entire filesystem. The vulnerability is reachable over the network without authentication, increasing the exposure of any internet-facing or lab-segment deployment.
The EPSS model places exploitation probability in the upper percentile, reflecting the public ZDI advisory and the trivial nature of path traversal exploitation.
Root Cause
The root cause is missing input validation on a file path argument. The handler does not normalize the path, does not enforce a fixed base directory, and does not reject parent-directory references. This pattern matches [CWE-22] directly: a pathname supplied by an external actor is consumed by file APIs without restriction to a safe location.
Attack Vector
Exploitation requires network access to the QConvergeConsole service endpoint. The attacker issues a crafted request to the compressFirmwareDumpFiles operation containing a traversal payload pointing at a target file outside the dump directory. The server compresses the targeted file and returns the resulting archive, leaking its contents to the attacker. No credentials, user interaction, or prior foothold are required.
Verified proof-of-concept code is not publicly published. See the Zero Day Initiative Advisory ZDI-25-453 for the technical disclosure.
Detection Methods for CVE-2025-6804
Indicators of Compromise
- Inbound HTTP/HTTPS requests to QConvergeConsole endpoints containing ..\, ../, URL-encoded %2e%2e%2f, or absolute path references in parameters consumed by compressFirmwareDumpFiles.
- Unexpected compressed archive files produced in the QConvergeConsole working directory referencing paths outside the firmware dump folder.
- QConvergeConsole service processes accessing sensitive system locations such as C:\Windows\System32\config\ or user profile directories.
Detection Strategies
- Inspect web server and application logs for requests targeting the firmware dump compression handler with path traversal patterns.
- Hunt for parent-process relationships where the QConvergeConsole Java or service process opens files unrelated to firmware diagnostics.
- Correlate file read events on the management host with external source IPs that have no operational reason to contact the adapter management interface.
Monitoring Recommendations
- Forward QConvergeConsole and Windows file-access telemetry into a centralized analytics platform such as Singularity Data Lake for retrospective hunting and OCSF-normalized correlation.
- Alert on any access by the QConvergeConsole service account to credential stores, registry hives, or web.config-style files.
- Track new outbound transfers of archive files (.zip, .tar.gz) originating from systems running QConvergeConsole.
How to Mitigate CVE-2025-6804
Immediate Actions Required
- Restrict network access to QConvergeConsole management ports to trusted administrative subnets only.
- Remove QConvergeConsole from hosts that do not require active adapter management.
- Audit recent traffic to the management interface for traversal payloads and unexpected archive downloads.
- Apply runtime endpoint protection on hosts running the service to detect post-exploitation file-staging activity.
Patch Information
Marvell has not published a vendor advisory referenced in the NVD entry at the time of writing. Administrators should monitor the Marvell support portal and the Zero Day Initiative advisory page for fixed version information and upgrade when an updated build is released.
Workarounds
- Bind the QConvergeConsole service to localhost and access it through an authenticated jump host or VPN.
- Place the management interface behind a reverse proxy or web application firewall that rejects requests containing .., encoded traversal sequences, or absolute paths in parameter values.
- Run the QConvergeConsole service under a least-privilege account rather than SYSTEM where supported by the deployment.
- Disable the firmware dump compression feature in environments where it is not operationally required.
# Example WAF/proxy rule fragment to block traversal attempts against the
# QConvergeConsole management endpoint (adapt to your reverse proxy syntax)
location /eweb/ {
if ($args ~* "(\.\./|\.\.\\|%2e%2e%2f|%2e%2e%5c)") {
return 403;
}
proxy_pass http://127.0.0.1:8080;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

