CVE-2025-6804
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to perform directory traversal attacks on Marvell QConvergeConsole installations. Attackers can read arbitrary files on the system with SYSTEM privileges, potentially exposing sensitive configuration files, credentials, or system information. All deployments of affected Marvell QConvergeConsole versions are vulnerable.
💻 Affected Systems
- Marvell QConvergeConsole
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through disclosure of administrative credentials, configuration files, or sensitive system data leading to lateral movement and full network access.
Likely Case
Information disclosure of sensitive files including configuration data, logs, and potentially credentials stored in accessible locations.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to the vulnerable service.
🎯 Exploit Status
Directory traversal vulnerabilities are typically easy to exploit with simple path manipulation. ZDI-CAN-24924 tracking suggests active research.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Marvell security advisory for specific patched version
Vendor Advisory: https://www.marvell.com/support/security-advisories.html
Restart Required: Yes
Instructions:
1. Check Marvell security advisory for specific patch version. 2. Download and apply the official patch from Marvell. 3. Restart the QConvergeConsole service. 4. Verify the fix by testing the vulnerability.
🔧 Temporary Workarounds
Network Access Restriction
windowsRestrict network access to QConvergeConsole to only trusted administrative networks
Windows Firewall: New-NetFirewallRule -DisplayName "Block QConvergeConsole" -Direction Inbound -Protocol TCP -LocalPort [QCC_PORT] -Action Block
Application Whitelisting
windowsImplement application control to prevent unauthorized execution or modification of QConvergeConsole components
🧯 If You Can't Patch
- Isolate the QConvergeConsole server in a dedicated VLAN with strict access controls
- Implement network monitoring and IDS/IPS rules to detect directory traversal attempts
🔍 How to Verify
Check if Vulnerable:
Test by attempting directory traversal via the compressFirmwareDumpFiles endpoint with payloads like ../../../../windows/win.iniCheck Version:
Check QConvergeConsole version in application interface or installation directoryVerify Fix Applied:
After patching, retest the directory traversal attempts to confirm they are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in QConvergeConsole logs
- Multiple failed or successful requests with ../ patterns in paths
Network Indicators:
- HTTP requests to compressFirmwareDumpFiles endpoint containing ../ sequences
- Unusual outbound data transfers from QConvergeConsole server
SIEM Query:
source="qconvergeconsole.log" AND ("../" OR "..\\" OR "%2e%2e%2f")