Executive Summary

CVE-2025-63909 is a local privilege escalation vulnerability in the Cohesity TranZman Migration Appliance, specifically in the component /opt/SRLtzm/bin/TapeDumper.

The vulnerability arises from incorrect access control due to an overly permissive sudo configuration that allows an authenticated administrator to run TapeDumper with root privileges without a password.

TapeDumper, an interactive CLI tool designed to handle tape devices, incorrectly treats any file as a tape device, enabling arbitrary read and write operations on files with root privileges.

Exploitation involves escaping a restricted shell (CLISH) via a related command injection vulnerability, then using TapeDumper to read sensitive files, modify them (such as /etc/passwd), and write them back, effectively creating a passwordless root user and gaining full root access.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with prior authenticated access to escalate their privileges to root on the TranZman appliance.

• Complete root access to the system.
• Ability to read and write arbitrary files with root privileges.
• Creation of persistent backdoor accounts by modifying system files like /etc/passwd.
• Full system compromise of the TranZman Migration Appliance.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of CVE-2025-63909 involves checking for the presence of the vulnerable component /opt/SRLtzm/bin/TapeDumper and verifying the sudoers configuration that allows passwordless sudo access to binaries under /opt/SRLtzm/bin/*. Specifically, look for entries in /etc/sudoers granting NOPASSWD sudo rights to admin users for these binaries.'}, {'type': 'paragraph', 'content': 'Commands to assist detection include:'}, {'type': 'list_item', 'content': 'Check if TapeDumper exists and its permissions: ls -l /opt/SRLtzm/bin/TapeDumper'}, {'type': 'list_item', 'content': "Review sudoers entries related to /opt/SRLtzm/bin/: sudo cat /etc/sudoers | grep '/opt/SRLtzm/bin/'"}, {'type': 'list_item', 'content': 'Check for suspicious root user entries or modifications in /etc/passwd that could indicate exploitation: sudo cat /etc/passwd | grep root'}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected use of TapeDumper with sudo or unusual file modifications can help detect exploitation attempts.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the official patches released by Cohesity to fix this vulnerability. The recommended patch sequence is to first apply TZM_patch_1.patch followed by TZM_1760106063_OCT2025R2_FULL.depot.

Contact Cohesity support to obtain the latest patched OVA version that contains all fixes for this and related vulnerabilities.

If patching is not immediately possible, restrict access to the vulnerable appliance, especially limiting administrative shell access, to reduce the risk of exploitation.

Also, review and tighten sudoers configurations to remove or restrict passwordless sudo access to binaries under /opt/SRLtzm/bin/.

Useful 0 Not Useful 0