CVE-2025-6798
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to delete arbitrary files on Marvell QConvergeConsole installations. Attackers can exploit a directory traversal flaw in the deleteAppFile method to delete system files with SYSTEM privileges. All deployments of affected Marvell QConvergeConsole versions are vulnerable.
💻 Affected Systems
- Marvell QConvergeConsole
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via deletion of critical system files, leading to OS corruption, service disruption, or enabling further attacks like privilege escalation.
Likely Case
Service disruption through deletion of application or configuration files, potentially causing downtime or data loss.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to vulnerable systems.
🎯 Exploit Status
Exploitation requires sending crafted requests to the vulnerable endpoint; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Marvell advisory for specific patched version
Vendor Advisory: https://www.marvell.com/support/security-advisories.html
Restart Required: Yes
Instructions:
1. Check Marvell security advisory for affected versions and patches.
2. Download and apply the latest patch from Marvell support portal.
3. Restart the QConvergeConsole service or system as required.
🔧 Temporary Workarounds
Network Access Restriction
windowsBlock external access to QConvergeConsole management interface using firewall rules.
Windows Firewall: New-NetFirewallRule -DisplayName 'Block QConvergeConsole' -Direction Inbound -Protocol TCP -LocalPort <port> -Action Block
Application Whitelisting
windowsImplement application control to prevent unauthorized execution or file deletion.
🧯 If You Can't Patch
- Isolate vulnerable systems in a restricted network segment with no internet access.
- Implement strict network monitoring and alerting for suspicious file deletion attempts.
🔍 How to Verify
Check if Vulnerable:
Check QConvergeConsole version against Marvell's advisory; test with controlled exploit if authorized.Check Version:
Check QConvergeConsole web interface or installation directory for version info.Verify Fix Applied:
Verify patch installation by checking version number and testing that deleteAppFile requests with traversal paths are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual file deletion events in system or application logs
- HTTP requests to deleteAppFile with path traversal patterns (e.g., '../')
Network Indicators:
- HTTP POST requests to deleteAppFile endpoint with crafted paths
- Unusual traffic to QConvergeConsole management port from untrusted sources
SIEM Query:
source='qconvergeconsole.log' AND (uri_path='*deleteAppFile*' AND (uri_query='*../*' OR body='*../*'))