## Marvell QConvergeConsole Path Traversal Flaw (CVE-2025-6793) Enables Unauthenticated File Access with Destructive Side Effect A critical path traversal vulnerability in Marvell QConvergeConsole has been disclosed and weaponized, allowing unauthenticated attackers to read arbitrary files from affected systems—with an unusual and destructive twist: retrieved files are automatically deleted from the target server. Tracked as CVE-2025-6793, the flaw affects QConvergeConsole versions up to and including v5.5.0.85, a widely deployed storage management platform used in enterprise environments. The vulnerability requires no authentication, lowering the barrier for exploitation significantly. The exploit module, now integrated into the Metasploit Framework, demonstrates the ease with which attackers can leverage the flaw. By manipulating file path parameters, an adversary can traverse outside intended directories and access sensitive system files, including configuration data, credentials, or other critical assets stored on the server. The destructive file deletion behavior—where each file accessed is subsequently removed—adds a layer of operational risk, potentially disrupting services or destroying evidence of compromise. Verification steps published alongside the module confirm the vulnerability is reproducible on default installations of the affected software. The disclosure raises immediate concerns for organizations running Marvell QConvergeConsole in production environments. The combination of unauthenticated access, arbitrary file read capability, and involuntary file deletion creates a scenario where both data exfiltration and service disruption are possible without sophisticated tooling. Storage management consoles often hold privileged access to underlying infrastructure, making them high-value targets. Security teams should treat this as a high-priority patching candidate and review logs for any anomalous file access patterns. The availability of a public Metasploit module increases the likelihood of opportunistic scanning and exploitation in the near term. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CVE-2025-6793, path traversal, Marvell, QConvergeConsole, Metasploit - **Credibility**: unverified - **Published**: 2026-05-08 17:24:46 - **ID**: 80711 - **URL**: https://whisperx.ai/en/intel/80711