Cyber Resilience

CVE-2025-63909

HighPublic PoC

Published: 03 March 2026

Published
03 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63909 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Cohesity Tranzman. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-63909 is an incorrect access control vulnerability affecting the /opt/SRLtzm/bin/TapeDumper component in Cohesity TranZman Migration Appliance Release 4.0 Build 14614. This flaw, linked to CWE-269 (Improper Privilege Management), enables privilege escalation to root privileges along with the ability to read and write arbitrary files on the affected system. The vulnerability carries a CVSS v3.1 base score of 7.2 (High), reflecting network accessibility, low attack complexity, and high impacts on confidentiality, integrity, and availability.

Exploitation requires high privileges (PR:H), allowing a privileged attacker with network access to the appliance to trigger the issue without user interaction. Successful exploitation grants root-level access, enabling full arbitrary file read and write operations, which could lead to complete system compromise, data exfiltration, or persistent backdoor installation.

Mitigation details and advisories are documented in the referenced sources, including a GitHub Gist at https://gist.github.com/GregDurys/d402038147e36de5908159d9722072ef and the Cohesity TranZman CVEs repository at https://github.com/GregDurys/Cohesity-TranZman-CVEs. Security practitioners should consult these for patch availability or workarounds specific to Release 4.0 Build 14614.

EU & UK References

Vulnerability details

Incorrect access control in the component /opt/SRLtzm/bin/TapeDumper of Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers to escalate privileges to root and read and write arbitrary files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Direct mapping to exploitation of improper privilege management (CWE-269) for root escalation and arbitrary file access on a network-reachable appliance component.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-67840Same product: Cohesity Tranzman
CVE-2025-63910Same product: Cohesity Tranzman
CVE-2025-63911Same product: Cohesity Tranzman
CVE-2025-63912Same product: Cohesity Tranzman
CVE-2024-44250Shared CWE-269
CVE-2024-53706Shared CWE-269
CVE-2025-66374Shared CWE-269
CVE-2026-28995Shared CWE-269
CVE-2025-43199Shared CWE-269
CVE-2025-36640Shared CWE-269

Affected Assets

cohesity
tranzman
4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access restrictions on TapeDumper so that the binary cannot be abused for unauthorized root privilege escalation or arbitrary file read/write.

prevent

Requires the TapeDumper component and its callers to operate under least privilege, eliminating the excessive rights that enable escalation to root.

prevent

Process isolation limits the ability of the vulnerable TapeDumper binary to affect other system processes or gain broader root-level file system access.

References