CVE-2025-63909
Privilege Escalation via Access Control Flaw in Cohesity TapeDumper
Publication date: 2026-03-03
Last updated on: 2026-03-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cohesity | tranzman | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-63909 is a local privilege escalation vulnerability in the Cohesity TranZman Migration Appliance, specifically in the component /opt/SRLtzm/bin/TapeDumper.
The vulnerability arises from incorrect access control due to an overly permissive sudo configuration that allows an authenticated administrator to run TapeDumper with root privileges without a password.
TapeDumper, an interactive CLI tool designed to handle tape devices, incorrectly treats any file as a tape device, enabling arbitrary read and write operations on files with root privileges.
Exploitation involves escaping a restricted shell (CLISH) via a related command injection vulnerability, then using TapeDumper to read sensitive files, modify them (such as /etc/passwd), and write them back, effectively creating a passwordless root user and gaining full root access.
How can this vulnerability impact me? :
This vulnerability allows an attacker with prior authenticated access to escalate their privileges to root on the TranZman appliance.
- Complete root access to the system.
- Ability to read and write arbitrary files with root privileges.
- Creation of persistent backdoor accounts by modifying system files like /etc/passwd.
- Full system compromise of the TranZman Migration Appliance.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of CVE-2025-63909 involves checking for the presence of the vulnerable component /opt/SRLtzm/bin/TapeDumper and verifying the sudoers configuration that allows passwordless sudo access to binaries under /opt/SRLtzm/bin/*. Specifically, look for entries in /etc/sudoers granting NOPASSWD sudo rights to admin users for these binaries.'}, {'type': 'paragraph', 'content': 'Commands to assist detection include:'}, {'type': 'list_item', 'content': 'Check if TapeDumper exists and its permissions: ls -l /opt/SRLtzm/bin/TapeDumper'}, {'type': 'list_item', 'content': "Review sudoers entries related to /opt/SRLtzm/bin/: sudo cat /etc/sudoers | grep '/opt/SRLtzm/bin/'"}, {'type': 'list_item', 'content': 'Check for suspicious root user entries or modifications in /etc/passwd that could indicate exploitation: sudo cat /etc/passwd | grep root'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected use of TapeDumper with sudo or unusual file modifications can help detect exploitation attempts.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official patches released by Cohesity to fix this vulnerability. The recommended patch sequence is to first apply TZM_patch_1.patch followed by TZM_1760106063_OCT2025R2_FULL.depot.
Contact Cohesity support to obtain the latest patched OVA version that contains all fixes for this and related vulnerabilities.
If patching is not immediately possible, restrict access to the vulnerable appliance, especially limiting administrative shell access, to reduce the risk of exploitation.
Also, review and tighten sudoers configurations to remove or restrict passwordless sudo access to binaries under /opt/SRLtzm/bin/.