CVE-2025-63911
Authenticated Command Injection in Cohesity TranZman Migration Appliance
Publication date: 2026-03-03
Last updated on: 2026-03-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cohesity | tranzman | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-63911 is a high-severity authenticated command injection vulnerability in the Cohesity TranZman Migration Appliance, specifically within its CLISH restricted shell.'}, {'type': 'paragraph', 'content': "The vulnerability allows an authenticated admin user to escape the restricted shell environment and gain unrestricted shell access by exploiting insufficient input sanitization in two commands: the 'personality' command and the 'load_media' command."}, {'type': 'list_item', 'content': "Personality Command Injection: The 'personality' command passes a string parameter directly to a shell script without properly sanitizing shell metacharacters, allowing injection of arbitrary commands."}, {'type': 'list_item', 'content': "Load Media Command Injection: The 'load_media' command similarly passes user input to a shell command without adequate sanitization, enabling shell escape."}, {'type': 'paragraph', 'content': 'Exploiting these injection points lets an attacker with admin credentials execute arbitrary shell commands as the admin user, escaping the restricted shell.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts if exploited by an attacker with admin credentials.'}, {'type': 'list_item', 'content': 'The attacker can escape the restricted CLISH shell and gain an unconfined shell running as the admin user.'}, {'type': 'list_item', 'content': 'The unconfined shell operates outside SELinux restrictions, enabling further privilege escalation to root by leveraging other vulnerabilities.'}, {'type': 'paragraph', 'content': "This means the attacker could potentially take full control of the appliance, execute arbitrary commands, and compromise the system's confidentiality, integrity, and availability."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to exploit the command injection points in the Cohesity TranZman Migration Appliance's CLISH restricted shell, specifically the 'personality' and 'load_media' commands."}, {'type': 'paragraph', 'content': 'For example, testing the \'personality\' command by injecting shell metacharacters such as ";id" or ";/bin/bash" into the personality parameter may reveal if arbitrary command execution is possible.'}, {'type': 'paragraph', 'content': 'Similarly, injecting ";/bin/bash;" into the \'mediaid\' parameter of the \'load_media\' command can be used to check for shell escape.'}, {'type': 'paragraph', 'content': 'These tests require authenticated admin access to the appliance.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include applying the patches released by Cohesity in the specified order: first apply 'TZM_patch_1.patch' followed by 'TZM_1760106063_OCT2025R2_FULL.depot'."}, {'type': 'paragraph', 'content': 'Additionally, contacting Cohesity support to obtain the latest OVA version that includes integrated fixes is recommended.'}, {'type': 'paragraph', 'content': 'Restricting admin access to trusted personnel and monitoring for unusual shell activity may also help reduce risk until patches are applied.'}] [1]