CVE-2025-63911 – CVE-2025-63911 is an authenticated command inje... (How to Fix)

Q: What is the severity of CVE-2025-63911?

CVE-2025-63911 has a CVSS score of 7.2 (HIGH). CVE-2025-63911 is an authenticated command injection vulnerability in Cohesity TranZman Migration Appliance Release 4.0 Build 14614. This allows authenticated attackers to execute arbitrary commands on the underlying operating system. Organizations using this specific build of the migration appliance are affected.

📋 TL;DR

CVE-2025-63911 is an authenticated command injection vulnerability in Cohesity TranZman Migration Appliance Release 4.0 Build 14614. This allows authenticated attackers to execute arbitrary commands on the underlying operating system. Organizations using this specific build of the migration appliance are affected.

💻 Affected Systems

Products:

Cohesity TranZman Migration Appliance

Versions: Release 4.0 Build 14614

Operating Systems: Appliance-specific OS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the appliance interface.

📦 What is this software?

Tranzman by Cohesity

View all CVEs affecting Tranzman →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data exfiltration, lateral movement within the network, and potential ransomware deployment.

🟠

Likely Case

Unauthorized access to sensitive migration data, credential theft, and installation of persistence mechanisms.

🟢

If Mitigated

Limited impact due to network segmentation and strict access controls, potentially only affecting the appliance itself.

🌐 Internet-Facing: HIGH if the appliance is exposed to the internet, as authenticated attackers could gain full control.

🏢 Internal Only: HIGH as authenticated internal users or compromised accounts could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Proof-of-concept code is publicly available in the referenced GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in available references

Vendor Advisory: Not found in provided references

Instructions:

Check Cohesity security advisories for official patch information. Upgrade to a fixed version when available.

🔧 Temporary Workarounds

Restrict Access

all

Limit network access to the appliance to only trusted administrative networks

Use firewall rules to restrict access to appliance management interface

Strengthen Authentication

all

Implement multi-factor authentication and strong password policies for appliance access

Configure MFA if supported by appliance

🧯 If You Can't Patch

Isolate the appliance in a dedicated network segment with strict access controls
Implement network monitoring and intrusion detection for suspicious command execution patterns

🔍 How to Verify

Check if Vulnerable:

Check appliance version via web interface or CLI. If running Release 4.0 Build 14614, it is vulnerable.

Check Version:

Check via appliance web interface or consult Cohesity documentation for CLI version check

Verify Fix Applied:

Verify appliance has been upgraded to a version later than Release 4.0 Build 14614

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns in system logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unexpected outbound connections from appliance
Suspicious payloads in HTTP requests to appliance

SIEM Query:

source="cohesity_appliance" AND (event="command_execution" OR cmdline="*;*" OR cmdline="*|*")

📊 Metadata

CVE ID: CVE-2025-63911

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: March 3, 2026

Last Updated: March 5, 2026

🔗 References

https://gist.github.com/GregDurys/8b7a3022c04b6cee8c1e1af04f5671b2 Exploit,Third Party Advisory
https://github.com/GregDurys/Cohesity-TranZman-CVEs Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63911, you might also want to check these: