Login Sign Up

CVE-2025-67840

7.2 HIGH
Remote Code Execution

📋 TL;DR

Multiple authenticated OS command injection vulnerabilities in Cohesity TranZman 4.0 allow authenticated admin users to execute arbitrary commands with root privileges. Attackers can intercept legitimate API requests and modify parameters to bypass the restricted shell confinement, leading to complete system compromise. This affects all systems running vulnerable versions of the TranZman web application.

💻 Affected Systems

Products:
  • Cohesity TranZman
Versions: 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot
Operating Systems: Appliance OS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. Requires authenticated admin access to exploit.

📦 What is this software?

Tranzman by Cohesity

View all CVEs affecting Tranzman →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root access, allowing data theft, lateral movement, persistence establishment, and complete appliance control.

🟠

Likely Case

Authenticated attackers with admin privileges gain remote code execution, enabling data exfiltration, credential harvesting, and backdoor installation.

🟢

If Mitigated

With proper network segmentation and admin credential protection, impact is limited to the appliance itself without lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin credentials and proxy interception of legitimate API requests. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://cohesity.com

Restart Required: No

Instructions:

Check Cohesity security advisories for patch availability. If patch exists, download from vendor portal and apply following vendor instructions.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate TranZman appliance from sensitive networks and restrict admin access to trusted IPs only.

Admin Credential Protection

all

Implement strong password policies, multi-factor authentication, and regular credential rotation for admin accounts.

🧯 If You Can't Patch

  • Monitor admin account activity and API access logs for suspicious patterns
  • Implement web application firewall rules to block command injection patterns in API requests

🔍 How to Verify

Check if Vulnerable:

Check TranZman version via web interface or CLI. If version is 4.0 Build 14614 or earlier, system is vulnerable.

Check Version:

Check web interface admin panel or consult appliance documentation for version command

Verify Fix Applied:

Verify patch installation via version check and test API endpoints with safe command injection payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual API requests with shell metacharacters
  • Multiple failed authentication attempts followed by successful admin login
  • Suspicious command execution in system logs

Network Indicators:

  • Unusual outbound connections from appliance
  • API requests containing shell metacharacters like ;, |, &, $()

SIEM Query:

source="tranzman" AND (command="*;*" OR command="*|*" OR command="*&*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2025-67840
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: March 3, 2026
Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67840, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)