CVE-2025-6805 – This vulnerability allows unauthenticated remot... (How to Fix)

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to delete arbitrary files on Marvell QConvergeConsole installations. The flaw exists in the deleteEventLogFile method which doesn't properly validate user-supplied paths before performing file operations. Attackers can exploit this to delete files with SYSTEM privileges.

💻 Affected Systems

Products:

Marvell QConvergeConsole

Versions: Specific versions not specified in provided information

Operating Systems: Windows (based on SYSTEM context mentioned)

Default Config Vulnerable: ⚠️ Yes

Notes: Authentication is not required to exploit this vulnerability according to the description.

📦 What is this software?

Qconvergeconsole by Marvell

View all CVEs affecting Qconvergeconsole →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through deletion of critical system files, leading to system crashes, data loss, or enabling further attacks by removing security controls.

🟠

Likely Case

Service disruption through deletion of application or configuration files, potentially causing downtime or loss of operational data.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to vulnerable systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Directory traversal vulnerabilities are typically easy to exploit once the attack vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: Not provided in references

Restart Required: No

Instructions:

1. Check Marvell security advisories for patch availability
2. Apply vendor-provided patches when available
3. Test in non-production environment first

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Marvell QConvergeConsole to trusted IP addresses only

Use firewall rules to limit access to specific source IPs

Application Firewall Rules

all

Block requests to the deleteEventLogFile endpoint

Configure WAF or application firewall to block /deleteEventLogFile requests

🧯 If You Can't Patch

Isolate vulnerable systems in separate network segments with strict access controls
Implement monitoring and alerting for file deletion events on affected systems

🔍 How to Verify

Check if Vulnerable:

Check if Marvell QConvergeConsole is installed and accessible without authentication

Check Version:

Check application version through admin interface or installation directory

Verify Fix Applied:

Verify patch version against vendor advisory and test that deleteEventLogFile endpoint properly validates paths

📡 Detection & Monitoring

Log Indicators:

Multiple failed file deletion attempts
Unusual file deletion patterns from web service account
Requests to deleteEventLogFile with path traversal sequences (../)

Network Indicators:

HTTP requests containing path traversal sequences (../) to deleteEventLogFile endpoint
Unusual volume of DELETE requests

SIEM Query:

source="web_server" AND (uri="*deleteEventLogFile*" AND (uri="*../*" OR uri="*..\\*"))

📊 Metadata

CVE ID: CVE-2025-6805

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

EPSS Score: 12.3% exploit probability (93.7th percentile)

Published: July 7, 2025

Last Updated: July 14, 2025

🔗 References

https://www.zerodayinitiative.com/advisories/ZDI-25-461/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6805, you might also want to check these: