A critical remote code execution vulnerability, identified as CVE-2025-6802, has been discovered in Marvell QConvergeConsole Storage Management. This flaw allows a remote, unauthenticated attacker to upload a malicious file and execute arbitrary code, potentially leading to a complete compromise of the affected system. Due to the high severity (CVSS 9.8), immediate remediation is required to prevent data breaches, system takeover, and disruption of storage operations.

This vulnerability exists within the getFileFromURL function of the Marvell QConvergeConsole software. The function fails to properly validate the file type, name, or destination path of files fetched from a remote URL. A remote attacker can exploit this by providing a URL pointing to a malicious script (e.g., a web shell). The application will download and save this file to a location on the server, likely within the web root, allowing the attacker to then access the file via a web browser to trigger its execution with the permissions of the web server process, resulting in remote code execution (RCE).

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the ease of exploitation and the potential for total system compromise. A successful attack would grant an adversary complete control over the storage management server. This could lead to severe consequences, including the theft of sensitive administrative credentials and storage data, manipulation or destruction of critical data, deployment of ransomware, and using the compromised server as a pivot point to launch further attacks against the internal network. The potential for operational disruption to storage infrastructure poses a significant risk to business continuity.

Immediate Action:

• Patch: Apply the official Marvell security update immediately to all affected installations.
• Disable Functionality: If the file upload functionality provided by the getFileFromURL feature is not essential for business operations, disable it as a security hardening measure.
• Input Validation: As a defense-in-depth measure, ensure strict input validation is implemented for all file operations, restricting file types, sizes, and destination paths to only what is explicitly required.

Proactive Monitoring:

• Log Analysis: Monitor web server and application logs for requests to the getFileFromURL endpoint or any other file upload mechanisms. Scrutinize logs for uploads of suspicious file types (e.g., .jsp, .aspx, .php, .sh) or files being saved to unusual directory paths.
• Network Traffic Analysis: Monitor for outbound network connections from the QConvergeConsole server to unknown or untrusted external URLs, as this may indicate an attempt to download a malicious payload.
• File Integrity Monitoring (FIM): Deploy FIM to detect the creation of unauthorized files in web-accessible directories. Alert on any new executable scripts or unexpected files appearing on the server.

Compensating Controls:

• Web Application Firewall (WAF): If patching cannot be immediately deployed, configure a WAF with a rule to block or alert on requests targeting the vulnerable getFileFromURL function.
• Network Segmentation: Isolate the QConvergeConsole management interface from the internet. Restrict network access to the server to only trusted administrative subnets to reduce the attack surface.
• Least Privilege: Ensure the service account running the QConvergeConsole application has the minimum necessary permissions and cannot write to sensitive system directories or execute arbitrary commands.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this remote code execution vulnerability, we recommend treating this as an emergency. Organizations must prioritize the immediate identification and patching of all vulnerable Marvell QConvergeConsole instances. Although there is no public exploit available at this time, the risk of exploitation is imminent. The recommended remediation plan should be executed without delay to prevent a full system compromise and protect critical storage infrastructure.