CVE-2025-63909
Received Received - Intake

Privilege Escalation via Access Control Flaw in Cohesity TapeDumper

Vulnerability report for CVE-2025-63909, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-03

Last updated on: 2026-03-05

Assigner: MITRE

Description

Incorrect access control in the component /opt/SRLtzm/bin/TapeDumper of Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers to escalate privileges to root and read and write arbitrary files.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-03
Last Modified
2026-03-05
Generated
2026-07-06
AI Q&A
2026-03-03
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
cohesity tranzman 4.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-63909 is a local privilege escalation vulnerability in the Cohesity TranZman Migration Appliance, specifically in the component /opt/SRLtzm/bin/TapeDumper.

The vulnerability arises from incorrect access control due to an overly permissive sudo configuration that allows an authenticated administrator to run TapeDumper with root privileges without a password.

TapeDumper, an interactive CLI tool designed to handle tape devices, incorrectly treats any file as a tape device, enabling arbitrary read and write operations on files with root privileges.

Exploitation involves escaping a restricted shell (CLISH) via a related command injection vulnerability, then using TapeDumper to read sensitive files, modify them (such as /etc/passwd), and write them back, effectively creating a passwordless root user and gaining full root access.

Impact Analysis

This vulnerability allows an attacker with prior authenticated access to escalate their privileges to root on the TranZman appliance.

  • Complete root access to the system.
  • Ability to read and write arbitrary files with root privileges.
  • Creation of persistent backdoor accounts by modifying system files like /etc/passwd.
  • Full system compromise of the TranZman Migration Appliance.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of CVE-2025-63909 involves checking for the presence of the vulnerable component /opt/SRLtzm/bin/TapeDumper and verifying the sudoers configuration that allows passwordless sudo access to binaries under /opt/SRLtzm/bin/*. Specifically, look for entries in /etc/sudoers granting NOPASSWD sudo rights to admin users for these binaries.'}, {'type': 'paragraph', 'content': 'Commands to assist detection include:'}, {'type': 'list_item', 'content': 'Check if TapeDumper exists and its permissions: ls -l /opt/SRLtzm/bin/TapeDumper'}, {'type': 'list_item', 'content': "Review sudoers entries related to /opt/SRLtzm/bin/: sudo cat /etc/sudoers | grep '/opt/SRLtzm/bin/'"}, {'type': 'list_item', 'content': 'Check for suspicious root user entries or modifications in /etc/passwd that could indicate exploitation: sudo cat /etc/passwd | grep root'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected use of TapeDumper with sudo or unusual file modifications can help detect exploitation attempts.'}] [2]

Mitigation Strategies

Immediate mitigation steps include applying the official patches released by Cohesity to fix this vulnerability. The recommended patch sequence is to first apply TZM_patch_1.patch followed by TZM_1760106063_OCT2025R2_FULL.depot.

Contact Cohesity support to obtain the latest patched OVA version that contains all fixes for this and related vulnerabilities.

If patching is not immediately possible, restrict access to the vulnerable appliance, especially limiting administrative shell access, to reduce the risk of exploitation.

Also, review and tighten sudoers configurations to remove or restrict passwordless sudo access to binaries under /opt/SRLtzm/bin/.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63909. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart