Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-63910 is a high-severity vulnerability in the Cohesity TranZman Migration Appliance Release 4.0 Build 14614. It allows attackers with Administrator privileges to execute arbitrary code by uploading a crafted patch file through the appliance's web interface."}, {'type': 'paragraph', 'content': 'The vulnerability exists because the TranZman patch management system accepts and executes unsigned patch files without verifying their cryptographic signature, source authenticity, or content validity. Patch files are encrypted using a static encryption key that is the same across all installations, making it possible for attackers to decrypt, modify, and re-encrypt patches.'}, {'type': 'paragraph', 'content': 'Exploitation involves obtaining the static encryption key through other means, decrypting vendor patch files, injecting malicious code (such as a backdoor or reverse shell), repackaging the patch, and uploading it to the appliance. When executed, this results in arbitrary code execution with root privileges.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to full system compromise of the TranZman appliance by allowing remote code execution with root privileges.

• Attackers can gain an interactive root shell on the appliance.
• It introduces supply chain risks by enabling the distribution of malicious patches to multiple appliances.
• Persistence is possible through system file modifications, allowing backdoors to remain active.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking for the presence of the vulnerable Cohesity TranZman Migration Appliance Release 4.0 Build 14614 and monitoring for unauthorized patch uploads or executions.'}, {'type': 'paragraph', 'content': 'Specifically, you can inspect the appliance for the existence of the static encryption key file located at /opt/SRLtzm/srltzm.bmp, which is used to encrypt patch files and is identical across installations.'}, {'type': 'paragraph', 'content': 'You may also review the web interface activity logs for POST requests to the patch upload endpoint and PATCH requests that trigger patch execution.'}, {'type': 'paragraph', 'content': 'Commands to check for the static key file and patch files on the appliance could include:'}, {'type': 'list_item', 'content': 'ls -l /opt/SRLtzm/srltzm.bmp'}, {'type': 'list_item', 'content': 'ls -l /opt/SRLtzm/web/tranzman/views/patch.py'}, {'type': 'list_item', 'content': "grep -i 'upload' /var/log/httpd/access_log (or equivalent web server logs) to detect patch upload attempts"}, {'type': 'list_item', 'content': "Monitor for unusual commands such as 'list_host' being issued via the web interface or CLI, which can trigger execution of uploaded patches."}, {'type': 'paragraph', 'content': 'Note that exploitation requires administrator privileges, so monitoring for unexpected administrator activity is also recommended.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the official patches released by Cohesity in the specified order: first TZM_patch_1.patch, followed by TZM_1760106063_OCT2025R2_FULL.depot.

Contact Cohesity support to obtain the latest OVA versions that contain integrated fixes for this vulnerability.

Restrict administrator access to the TranZman web interface to trusted personnel only and monitor for suspicious patch uploads or executions.

Consider auditing and securing the static encryption key file (/opt/SRLtzm/srltzm.bmp) to prevent unauthorized extraction and patch decryption.

If possible, isolate the appliance from untrusted networks to reduce the risk of exploitation.

Useful 0 Not Useful 0