CVE-2025-67840
Received Received - Intake
Authenticated OS Command Injection in Cohesity TranZman 4.0 Enables Root RCE

Publication date: 2026-03-03

Last updated on: 2026-03-05

Assigner: MITRE

Description
Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). The appliance directly concatenates user-controlled parameters into system commands without sufficient sanitisation, allowing an authenticated admin user to inject and execute arbitrary OS commands with root privileges. An attacker can intercept legitimate requests (e.g. during job creation or execution) using a proxy and modify parameters to include shell metacharacters, achieving remote code execution on the appliance. This completely bypasses the intended CLISH restricted shell confinement and results in full system compromise. The vulnerabilities persist in Release 4.0 Build 14614 including the latest patch (as of the time of testing) TZM_1757588060_SEP2025_FULL.depot.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67840
EUVD
EUVD-2025-208246
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cohesity tranzman 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-67840 is a high-severity OS command injection vulnerability affecting the Cohesity TranZman Migration Appliance web application versions from Release 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot.

The vulnerability exists because certain API endpoints (such as /api/v1/scheduler/run and /api/v1/actions/run) accept parameters that are concatenated directly into system shell commands without sufficient sanitization.

An authenticated administrator can intercept legitimate requests and modify parameters to inject arbitrary shell commands, which are then executed with root privileges on the appliance.

This allows the attacker to bypass the intended CLISH restricted shell confinement and gain full system compromise.

Impact Analysis

Exploitation of this vulnerability allows an authenticated attacker to execute arbitrary OS commands with root privileges on the TranZman appliance.

This leads to full system compromise, bypassing security restrictions intended to confine shell access.

An attacker can gain a root shell, potentially exposing all backup metadata and credentials stored on the appliance.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and intercepting API requests to the vulnerable endpoints, specifically POST requests to /api/v1/scheduler/run and /api/v1/actions/run.'}, {'type': 'paragraph', 'content': 'Detection involves checking for unusual or suspicious parameters in these requests, such as shell metacharacters (;, $(), etc.) or payloads that attempt to execute arbitrary commands.'}, {'type': 'paragraph', 'content': 'Commands to detect exploitation attempts could include capturing and inspecting network traffic with tools like tcpdump or Wireshark, focusing on HTTP POST requests to the mentioned endpoints.'}, {'type': 'list_item', 'content': 'Use a proxy tool (e.g., Burp Suite) to intercept and analyze API requests to /api/v1/scheduler/run and /api/v1/actions/run for suspicious parameter values.'}, {'type': 'list_item', 'content': "Run tcpdump to capture traffic on the appliance network interface filtering for HTTP POST requests: tcpdump -A -s 0 'tcp port 80 or 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'"}, {'type': 'list_item', 'content': "Search logs or captured requests for shell metacharacters or reverse shell payload patterns in the 'job', 'action', or 'cep' parameters."}] [2]

Mitigation Strategies

Immediate mitigation steps include applying the official patches provided by Cohesity in the correct order: first TZM_patch_1.patch followed by TZM_1760106063_OCT2025R2_FULL.depot.

Contact Cohesity support to obtain the latest OVA version that includes integrated fixes for this vulnerability.

Restrict access to the vulnerable API endpoints to trusted administrators only and monitor for suspicious activity.

Consider temporarily disabling or limiting the use of the Scheduler and Actions API endpoints until patches are applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67840. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart