Critical Vulnerability Information Vulnerability Name: (0Day) Marvell QConvergeConsole getFileFromURL Unrestricted File Upload Remote Code Execution Vulnerability Vulnerability IDs: - ZDI-25-464 - ZDI-CAN-24922 CVE ID: CVE-2025-6802 CVSS Score: 9.8, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Vendor: Marvell Affected Product: QConvergeConsole Vulnerability Details Description: This vulnerability allows remote attackers to execute arbitrary code on affected Marvell QConvergeConsole installations. Exploitation of this vulnerability does not require authentication. Specific Issue: There is a specific flaw in the implementation of the getFileFromURL method. Due to insufficient validation of user-supplied data, arbitrary files can be uploaded. Attackers can exploit this vulnerability to execute code in the SYSTEM context. Additional Details Report Submission: On September 25, 2024, ZDI submitted the report to the vendor. Vendor Acknowledgment: On September 23, 2024, the vendor confirmed receipt of the report. Vendor Communication: On October 9, 2024, the vendor notified that the product is no longer supported. Mitigation: The vendor no longer supports or recommends this tool. The product entered End-of-Life (EOL) and End-of-Support (EOS) status after the release of v5.5.0.085 in January 2022. Disclosure Timeline Reported to Vendor: September 25, 2024 Coordinated Public Release: June 27, 2025 Advisory Update: June 27, 2025 Acknowledgments Discoverer: Andrea Micalizzi aka rgod (@rgod777)