CVE-2025-67840
Authenticated OS Command Injection in Cohesity TranZman 4.0 Enables Root RCE
Publication date: 2026-03-03
Last updated on: 2026-03-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cohesity | tranzman | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-67840 is a high-severity OS command injection vulnerability affecting the Cohesity TranZman Migration Appliance web application versions from Release 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot.
The vulnerability exists because certain API endpoints (such as /api/v1/scheduler/run and /api/v1/actions/run) accept parameters that are concatenated directly into system shell commands without sufficient sanitization.
An authenticated administrator can intercept legitimate requests and modify parameters to inject arbitrary shell commands, which are then executed with root privileges on the appliance.
This allows the attacker to bypass the intended CLISH restricted shell confinement and gain full system compromise.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an authenticated attacker to execute arbitrary OS commands with root privileges on the TranZman appliance.
This leads to full system compromise, bypassing security restrictions intended to confine shell access.
An attacker can gain a root shell, potentially exposing all backup metadata and credentials stored on the appliance.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and intercepting API requests to the vulnerable endpoints, specifically POST requests to /api/v1/scheduler/run and /api/v1/actions/run.'}, {'type': 'paragraph', 'content': 'Detection involves checking for unusual or suspicious parameters in these requests, such as shell metacharacters (;, $(), etc.) or payloads that attempt to execute arbitrary commands.'}, {'type': 'paragraph', 'content': 'Commands to detect exploitation attempts could include capturing and inspecting network traffic with tools like tcpdump or Wireshark, focusing on HTTP POST requests to the mentioned endpoints.'}, {'type': 'list_item', 'content': 'Use a proxy tool (e.g., Burp Suite) to intercept and analyze API requests to /api/v1/scheduler/run and /api/v1/actions/run for suspicious parameter values.'}, {'type': 'list_item', 'content': "Run tcpdump to capture traffic on the appliance network interface filtering for HTTP POST requests: tcpdump -A -s 0 'tcp port 80 or 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'"}, {'type': 'list_item', 'content': "Search logs or captured requests for shell metacharacters or reverse shell payload patterns in the 'job', 'action', or 'cep' parameters."}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official patches provided by Cohesity in the correct order: first TZM_patch_1.patch followed by TZM_1760106063_OCT2025R2_FULL.depot.
Contact Cohesity support to obtain the latest OVA version that includes integrated fixes for this vulnerability.
Restrict access to the vulnerable API endpoints to trusted administrators only and monitor for suspicious activity.
Consider temporarily disabling or limiting the use of the Scheduler and Actions API endpoints until patches are applied.