Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-63911 is a high-severity authenticated command injection vulnerability in the Cohesity TranZman Migration Appliance, specifically within its CLISH restricted shell.'}, {'type': 'paragraph', 'content': "The vulnerability allows an authenticated admin user to escape the restricted shell environment and gain unrestricted shell access by exploiting insufficient input sanitization in two commands: the 'personality' command and the 'load_media' command."}, {'type': 'list_item', 'content': "Personality Command Injection: The 'personality' command passes a string parameter directly to a shell script without properly sanitizing shell metacharacters, allowing injection of arbitrary commands."}, {'type': 'list_item', 'content': "Load Media Command Injection: The 'load_media' command similarly passes user input to a shell command without adequate sanitization, enabling shell escape."}, {'type': 'paragraph', 'content': 'Exploiting these injection points lets an attacker with admin credentials execute arbitrary shell commands as the admin user, escaping the restricted shell.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts if exploited by an attacker with admin credentials.'}, {'type': 'list_item', 'content': 'The attacker can escape the restricted CLISH shell and gain an unconfined shell running as the admin user.'}, {'type': 'list_item', 'content': 'The unconfined shell operates outside SELinux restrictions, enabling further privilege escalation to root by leveraging other vulnerabilities.'}, {'type': 'paragraph', 'content': "This means the attacker could potentially take full control of the appliance, execute arbitrary commands, and compromise the system's confidentiality, integrity, and availability."}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to exploit the command injection points in the Cohesity TranZman Migration Appliance's CLISH restricted shell, specifically the 'personality' and 'load_media' commands."}, {'type': 'paragraph', 'content': 'For example, testing the \'personality\' command by injecting shell metacharacters such as ";id" or ";/bin/bash" into the personality parameter may reveal if arbitrary command execution is possible.'}, {'type': 'paragraph', 'content': 'Similarly, injecting ";/bin/bash;" into the \'mediaid\' parameter of the \'load_media\' command can be used to check for shell escape.'}, {'type': 'paragraph', 'content': 'These tests require authenticated admin access to the appliance.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': "Immediate mitigation steps include applying the patches released by Cohesity in the specified order: first apply 'TZM_patch_1.patch' followed by 'TZM_1760106063_OCT2025R2_FULL.depot'."}, {'type': 'paragraph', 'content': 'Additionally, contacting Cohesity support to obtain the latest OVA version that includes integrated fixes is recommended.'}, {'type': 'paragraph', 'content': 'Restricting admin access to trusted personnel and monitoring for unusual shell activity may also help reduce risk until patches are applied.'}] [1]

Useful 0 Not Useful 0