CVE-2025-63909
Published: 03 March 2026
Summary
CVE-2025-63909 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Cohesity Tranzman. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-63909 is an incorrect access control vulnerability affecting the /opt/SRLtzm/bin/TapeDumper component in Cohesity TranZman Migration Appliance Release 4.0 Build 14614. This flaw, linked to CWE-269 (Improper Privilege Management), enables privilege escalation to root privileges along with the ability to read and write arbitrary files on the affected system. The vulnerability carries a CVSS v3.1 base score of 7.2 (High), reflecting network accessibility, low attack complexity, and high impacts on confidentiality, integrity, and availability.
Exploitation requires high privileges (PR:H), allowing a privileged attacker with network access to the appliance to trigger the issue without user interaction. Successful exploitation grants root-level access, enabling full arbitrary file read and write operations, which could lead to complete system compromise, data exfiltration, or persistent backdoor installation.
Mitigation details and advisories are documented in the referenced sources, including a GitHub Gist at https://gist.github.com/GregDurys/d402038147e36de5908159d9722072ef and the Cohesity TranZman CVEs repository at https://github.com/GregDurys/Cohesity-TranZman-CVEs. Security practitioners should consult these for patch availability or workarounds specific to Release 4.0 Build 14614.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208241
Vulnerability details
Incorrect access control in the component /opt/SRLtzm/bin/TapeDumper of Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers to escalate privileges to root and read and write arbitrary files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to exploitation of improper privilege management (CWE-269) for root escalation and arbitrary file access on a network-reachable appliance component.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access restrictions on TapeDumper so that the binary cannot be abused for unauthorized root privilege escalation or arbitrary file read/write.
Requires the TapeDumper component and its callers to operate under least privilege, eliminating the excessive rights that enable escalation to root.
Process isolation limits the ability of the vulnerable TapeDumper binary to affect other system processes or gain broader root-level file system access.