Executive Summary

CVE-2025-63912 is a medium-severity cryptographic vulnerability in the Cohesity TranZman Migration Appliance Release 4.0 Build 14614. The appliance uses a weak encryption method for its FTP service control channel, specifically an XOR encryption with a static, hardcoded key embedded in the software. This key is a plaintext copyright string, making the encryption easily reversible.

Because the XOR encryption is symmetric and reversible, anyone with access to the key or network traffic can decrypt sensitive information such as credentials, filenames, and commands. The FTP server also suppresses logging for certain commands, creating audit blind spots, and does not support secure protocols like TLS/FTPS on the control channel, further exposing communications.

Additionally, the encryption scheme lacks initialization vectors and integrity checks, making it vulnerable to replay and command forgery attacks. Attackers on the same network segment or with access to the static key can capture, decrypt, and manipulate FTP control traffic, compromising data confidentiality and integrity.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to exposure of sensitive credentials and commands used by the TranZman FTP service, allowing attackers to decrypt and intercept backup-related data.

Attackers can also forge or replay commands to retrieve, tamper with, or disrupt backup files and operations, compromising the confidentiality and integrity of critical backup and recovery data.

The lack of logging for certain commands creates audit blind spots, making it harder to detect malicious activity.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for the TranZman FTP service operating on TCP port 55555. Since the FTP control channel traffic is XOR-encrypted with a static, hardcoded key, capturing and decrypting this traffic can reveal the presence of the weak cryptography.'}, {'type': 'paragraph', 'content': 'You can use network packet capture tools like tcpdump or Wireshark to capture traffic on port 55555 and then analyze the captured data for the SRLCRYPT header and XOR encryption patterns.'}, {'type': 'list_item', 'content': 'Capture traffic on port 55555: tcpdump -i <interface> tcp port 55555 -w tranzman_traffic.pcap'}, {'type': 'list_item', 'content': 'Analyze the captured traffic in Wireshark or use a custom script to detect the ASCII header "SRLCRYPT" in the FTP control channel data.'}, {'type': 'list_item', 'content': 'Decompile the Perl modules (if accessible) using B::Deparse to extract the XOR key and verify the use of the weak cryptographic algorithm.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the official patches provided by Cohesity in the recommended sequence to fix the weak cryptography issue.

• Apply TZM_patch_1.patch first.
• Then apply TZM_1760106063_OCT2025R2_FULL.depot.

Additionally, contact Cohesity support to obtain updated OVA versions with integrated fixes.

Until patches are applied, restrict network access to the TranZman FTP service on TCP port 55555 to trusted hosts only, and monitor for suspicious activity on that port.

Useful 0 Not Useful 0