CVE-2025-6794

Marvell QConvergeConsole saveAsText Directory Traversal Remote Code Execution Vulnerability

Assigner: zdi
Reserved: 27.06.2025 Published: 07.07.2025 Updated: 07.07.2025

Marvell QConvergeConsole saveAsText Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the implementation of the saveAsText method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-24913.

Metrics

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.0

Product Status

Vendor	Marvell
Product	QConvergeConsole
Versions	Default: unknown Version 5.5.0.78 is affected

Vendor

Marvell

Product

QConvergeConsole

Versions

Default: unknown

Version 5.5.0.78 is affected

References

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE

CVE-2025-6794 PUBLISHED

Marvell QConvergeConsole saveAsText Directory Traversal Remote Code Execution Vulnerability

Metrics

Product Status

References

Problem Types