CVE-2025-63912
Weak Encryption in Cohesity TranZman 4.0 Exposes Credentials
Publication date: 2026-03-03
Last updated on: 2026-03-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cohesity | tranzman | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-327 | The product uses a broken or risky cryptographic algorithm or protocol. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-63912 is a medium-severity cryptographic vulnerability in the Cohesity TranZman Migration Appliance Release 4.0 Build 14614. The appliance uses a weak encryption method for its FTP service control channel, specifically an XOR encryption with a static, hardcoded key embedded in the software. This key is a plaintext copyright string, making the encryption easily reversible.
Because the XOR encryption is symmetric and reversible, anyone with access to the key or network traffic can decrypt sensitive information such as credentials, filenames, and commands. The FTP server also suppresses logging for certain commands, creating audit blind spots, and does not support secure protocols like TLS/FTPS on the control channel, further exposing communications.
Additionally, the encryption scheme lacks initialization vectors and integrity checks, making it vulnerable to replay and command forgery attacks. Attackers on the same network segment or with access to the static key can capture, decrypt, and manipulate FTP control traffic, compromising data confidentiality and integrity.
How can this vulnerability impact me? :
This vulnerability can lead to exposure of sensitive credentials and commands used by the TranZman FTP service, allowing attackers to decrypt and intercept backup-related data.
Attackers can also forge or replay commands to retrieve, tamper with, or disrupt backup files and operations, compromising the confidentiality and integrity of critical backup and recovery data.
The lack of logging for certain commands creates audit blind spots, making it harder to detect malicious activity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring network traffic for the TranZman FTP service operating on TCP port 55555. Since the FTP control channel traffic is XOR-encrypted with a static, hardcoded key, capturing and decrypting this traffic can reveal the presence of the weak cryptography.'}, {'type': 'paragraph', 'content': 'You can use network packet capture tools like tcpdump or Wireshark to capture traffic on port 55555 and then analyze the captured data for the SRLCRYPT header and XOR encryption patterns.'}, {'type': 'list_item', 'content': 'Capture traffic on port 55555: tcpdump -i <interface> tcp port 55555 -w tranzman_traffic.pcap'}, {'type': 'list_item', 'content': 'Analyze the captured traffic in Wireshark or use a custom script to detect the ASCII header "SRLCRYPT" in the FTP control channel data.'}, {'type': 'list_item', 'content': 'Decompile the Perl modules (if accessible) using B::Deparse to extract the XOR key and verify the use of the weak cryptographic algorithm.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official patches provided by Cohesity in the recommended sequence to fix the weak cryptography issue.
- Apply TZM_patch_1.patch first.
- Then apply TZM_1760106063_OCT2025R2_FULL.depot.
Additionally, contact Cohesity support to obtain updated OVA versions with integrated fixes.
Until patches are applied, restrict network access to the TranZman FTP service on TCP port 55555 to trusted hosts only, and monitor for suspicious activity on that port.