CVE-2025-63909 – This vulnerability allows attackers to escalate... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to escalate privileges to root and read/write arbitrary files on Cohesity TranZman Migration Appliance systems due to incorrect access control in the TapeDumper component. It affects organizations using this specific appliance for data migration. Attackers can gain complete control of affected systems.

💻 Affected Systems

Products:

Cohesity TranZman Migration Appliance

Versions: Release 4.0 Build 14614

Operating Systems: Linux-based appliance OS

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the /opt/SRLtzm/bin/TapeDumper component. Requires local access to the appliance.

📦 What is this software?

Tranzman by Cohesity

View all CVEs affecting Tranzman →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root access, data exfiltration, ransomware deployment, and lateral movement to other network resources.

🟠

Likely Case

Privilege escalation to root leading to data theft, configuration modification, and persistence establishment on the appliance.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and monitoring are implemented.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details and proof-of-concept are publicly available in the referenced GitHub repository. Requires initial access to the appliance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

1. Check Cohesity support portal for security advisories
2. Apply any available patches for TranZman Migration Appliance
3. Monitor for vendor updates regarding this CVE

🔧 Temporary Workarounds

Remove TapeDumper execute permissions

linux

Remove execute permissions from the vulnerable binary to prevent exploitation

chmod -x /opt/SRLtzm/bin/TapeDumper

Implement strict access controls

all

Restrict access to the appliance to authorized administrators only

🧯 If You Can't Patch

Implement network segmentation to isolate the appliance from critical systems
Enable detailed logging and monitoring for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if /opt/SRLtzm/bin/TapeDumper exists and has execute permissions on Cohesity TranZman Migration Appliance Release 4.0 Build 14614

Check Version:

Check appliance management interface or contact Cohesity support for version information

Verify Fix Applied:

Verify TapeDumper binary no longer has execute permissions or has been updated/removed

📡 Detection & Monitoring

Log Indicators:

Unexpected execution of TapeDumper binary
Privilege escalation attempts
Unauthorized file access patterns

Network Indicators:

Unusual outbound connections from appliance
Suspicious SSH or management traffic

SIEM Query:

Process execution where process_name contains 'TapeDumper' AND user_context changes to 'root'

📊 Metadata

CVE ID: CVE-2025-63909

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: March 3, 2026

Last Updated: March 5, 2026

🔗 References

https://gist.github.com/GregDurys/d402038147e36de5908159d9722072ef Third Party Advisory,Exploit
https://github.com/GregDurys/Cohesity-TranZman-CVEs Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63909, you might also want to check these: