Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67840

CVE-2025-67840: Cohesity TranZman RCE Vulnerability

CVE-2025-67840 is a command injection RCE vulnerability in Cohesity TranZman that allows authenticated admins to execute arbitrary OS commands with root privileges. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-67840 Overview

Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints. The vulnerabilities affect critical areas including Scheduler and Actions pages, where the appliance directly concatenates user-controlled parameters into system commands without sufficient sanitization. This allows an authenticated admin user to inject and execute arbitrary OS commands with root privileges, completely bypassing the intended CLISH restricted shell confinement and resulting in full system compromise.

Critical Impact

An authenticated attacker can achieve remote code execution with root privileges on the TranZman appliance, bypassing shell restrictions and gaining complete control of the system.

Affected Products

  • Cohesity TranZman 4.0 Build 14614
  • Cohesity TranZman versions through TZM_1757588060_SEP2025_FULL.depot
  • Cohesity (formerly Stone Ram) TranZman web application API endpoints

Discovery Timeline

  • 2026-03-03 - CVE CVE-2025-67840 published to NVD
  • 2026-03-05 - Last updated in NVD database

Technical Details for CVE-2025-67840

Vulnerability Analysis

This vulnerability is classified as CWE-78 (OS Command Injection), a severe weakness where the application constructs OS commands using externally-influenced input without proper neutralization of special elements. The TranZman appliance fails to properly sanitize user-supplied parameters before incorporating them into system shell commands, enabling command injection attacks.

The vulnerable API endpoints, particularly those handling job creation and execution in the Scheduler and Actions pages, accept user input that is directly concatenated into system commands. This architectural flaw allows attackers to insert shell metacharacters (such as ;, |, &&, or backticks) to break out of the intended command context and execute arbitrary commands.

What makes this vulnerability particularly dangerous is that successful exploitation results in code execution with root privileges, effectively providing complete control over the appliance. Additionally, the attack bypasses the CLISH restricted shell environment that is designed to confine administrative users to a limited set of operations.

Root Cause

The root cause lies in insufficient input sanitization within the TranZman web application API. The application directly concatenates user-controlled parameters into system command strings without properly escaping or validating shell metacharacters. This violates secure coding principles that mandate strict input validation and parameterized command execution when handling user input destined for system shell operations.

Attack Vector

The attack is network-based and requires authentication with administrative privileges. An attacker can exploit this vulnerability by:

  1. Authenticating to the TranZman web application with admin credentials
  2. Initiating a legitimate operation such as job creation or execution
  3. Intercepting the HTTP request using a proxy tool
  4. Modifying vulnerable parameters to include shell metacharacters and malicious commands
  5. Forwarding the modified request to the appliance

The injected commands execute with root privileges on the underlying operating system. For example, an attacker could inject commands to establish reverse shells, exfiltrate data, install backdoors, or pivot to other systems on the network. Technical details and proof-of-concept information are available in the GitHub Repository for Cohesity CVEs and GitHub Gist Exploit Details.

Detection Methods for CVE-2025-67840

Indicators of Compromise

  • Unexpected outbound network connections from TranZman appliances to unfamiliar IP addresses
  • Anomalous processes spawned by web application worker processes, particularly shell interpreters (/bin/sh, /bin/bash)
  • Evidence of shell metacharacters (;, |, &&, `, $()) in web application access logs for API endpoints
  • Modifications to system files or creation of new user accounts outside normal administrative workflows
  • Presence of reverse shell artifacts or unusual cron jobs on the appliance

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block requests containing shell metacharacters in API parameters
  • Monitor API endpoint access logs for patterns indicative of command injection attempts
  • Deploy network intrusion detection signatures to identify reverse shell traffic or data exfiltration from TranZman appliances
  • Configure SIEM alerts for unusual process chains originating from web server processes

Monitoring Recommendations

  • Enable detailed logging on TranZman appliances and forward logs to centralized security monitoring
  • Monitor for authentication events followed by suspicious API calls, particularly to Scheduler and Actions endpoints
  • Implement process execution monitoring on TranZman systems to detect unexpected command execution
  • Establish baselines for normal appliance behavior and alert on deviations

How to Mitigate CVE-2025-67840

Immediate Actions Required

  • Restrict network access to TranZman administrative interfaces to trusted IP ranges only
  • Implement additional authentication controls such as multi-factor authentication for admin accounts
  • Review and audit all administrative accounts for unauthorized access or compromise
  • Place TranZman appliances behind a web application firewall configured to block command injection patterns
  • Monitor appliances for indicators of compromise as detailed above

Patch Information

The vulnerabilities persist in Release 4.0 Build 14614 including the latest patch (TZM_1757588060_SEP2025_FULL.depot) as of the time of testing. Organizations should monitor Cohesity's official channels for security updates addressing these command injection vulnerabilities. Contact Cohesity for the latest security guidance and patch availability.

Workarounds

  • Implement network segmentation to isolate TranZman appliances from general network access
  • Restrict administrative access to a jump server or bastion host with enhanced monitoring
  • Deploy a reverse proxy with input validation rules that strip or reject requests containing shell metacharacters
  • Limit the number of users with administrative access to reduce the attack surface
  • Consider disabling or restricting access to vulnerable API endpoints (Scheduler and Actions pages) until a patch is available
bash
# Example: Network ACL to restrict TranZman admin access
# Allow only trusted management network to access admin interface
iptables -A INPUT -p tcp --dport 443 -s 10.10.10.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne