FKIE_CVE-2025-67840

Vulnerability from fkie_nvd - Published: 2026-03-03 18:16 - Updated: 2026-03-05 00:15
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). The appliance directly concatenates user-controlled parameters into system commands without sufficient sanitisation, allowing an authenticated admin user to inject and execute arbitrary OS commands with root privileges. An attacker can intercept legitimate requests (e.g. during job creation or execution) using a proxy and modify parameters to include shell metacharacters, achieving remote code execution on the appliance. This completely bypasses the intended CLISH restricted shell confinement and results in full system compromise. The vulnerabilities persist in Release 4.0 Build 14614 including the latest patch (as of the time of testing) TZM_1757588060_SEP2025_FULL.depot.
References
cve@mitre.orghttps://cohesity.comProduct
cve@mitre.orghttps://gist.github.com/GregDurys/ef7fc6a36646df927374bba8e7279270Exploit, Third Party Advisory
cve@mitre.orghttps://github.com/GregDurys/Cohesity-TranZman-CVEsThird Party Advisory
Impacted products
Vendor Product Version
cohesity tranzman 4.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cohesity:tranzman:4.0:build14614:*:*:*:*:*:*",
              "matchCriteriaId": "F4F9B91B-96B6-411A-A53D-FEB5665D1FCA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). The appliance directly concatenates user-controlled parameters into system commands without sufficient sanitisation, allowing an authenticated admin user to inject and execute arbitrary OS commands with root privileges. An attacker can intercept legitimate requests (e.g. during job creation or execution) using a proxy and modify parameters to include shell metacharacters, achieving remote code execution on the appliance. This completely bypasses the intended CLISH restricted shell confinement and results in full system compromise. The vulnerabilities persist in Release 4.0 Build 14614 including the latest patch (as of the time of testing) TZM_1757588060_SEP2025_FULL.depot."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n de comandos del sistema operativo autenticadas existen en los puntos finales de la API de la aplicaci\u00f3n web Cohesity (anteriormente Stone Ram) TranZman 4.0 Build 14614 hasta TZM_1757588060_SEP2025_FULL.depot (incluyendo las p\u00e1ginas de Programador y Acciones). El dispositivo concatena directamente par\u00e1metros controlados por el usuario en comandos del sistema sin suficiente saneamiento, permitiendo a un usuario administrador autenticado inyectar y ejecutar comandos arbitrarios del sistema operativo con privilegios de root. Un atacante puede interceptar solicitudes leg\u00edtimas (por ejemplo, durante la creaci\u00f3n o ejecuci\u00f3n de trabajos) utilizando un proxy y modificar par\u00e1metros para incluir metacaracteres de shell, logrando la ejecuci\u00f3n remota de c\u00f3digo en el dispositivo. Esto elude completamente el confinamiento de shell restringido CLISH previsto y resulta en un compromiso total del sistema. Las vulnerabilidades persisten en la versi\u00f3n 4.0 Build 14614 incluyendo el \u00faltimo parche (al momento de la prueba) TZM_1757588060_SEP2025_FULL.depot."
    }
  ],
  "id": "CVE-2025-67840",
  "lastModified": "2026-03-05T00:15:59.597",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "cve@mitre.org",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-03T18:16:24.033",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Product"
      ],
      "url": "https://cohesity.com"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://gist.github.com/GregDurys/ef7fc6a36646df927374bba8e7279270"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/GregDurys/Cohesity-TranZman-CVEs"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.