Cyber Resilience

CVE-2025-63910

HighPublic PoC

Published: 03 March 2026

Published
03 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63910 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Cohesity Tranzman. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2025-63910 is an authenticated arbitrary file upload vulnerability affecting the Cohesity TranZman Migration Appliance Release 4.0 Build 14614. It enables attackers with Administrator privileges to execute arbitrary code by uploading a crafted patch file. The vulnerability is associated with CWE-345 (Insufficient Verification of Data Authenticity) and has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts.

Exploitation requires an authenticated attacker with high-privilege Administrator access over the network, with low attack complexity and no user interaction needed. Successful exploitation allows arbitrary code execution on the affected appliance, potentially leading to full system compromise given the high impact ratings across all vectors.

Details on mitigation, advisories, and patches can be found in the following references: https://docs.stoneram.com/index.php/Tranzman, https://gist.github.com/GregDurys/74c36c36bef81293a42022758f2736a9, and https://github.com/GregDurys/Cohesity-TranZman-CVEs. The CVE was published on 2026-03-03T18:16:23.630.

EU & UK References

Vulnerability details

An authenticated arbitrary file upload vulnerability in Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted patch file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Authenticated arbitrary file upload of crafted patch enables remote code execution on network-accessible appliance (T1190); directly results in arbitrary code/command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-63911Same product: Cohesity Tranzman
CVE-2025-63912Same product: Cohesity Tranzman
CVE-2025-67840Same product: Cohesity Tranzman
CVE-2025-63909Same product: Cohesity Tranzman
CVE-2026-28454Shared CWE-345
CVE-2026-35051Shared CWE-345
CVE-2025-1108Shared CWE-345
CVE-2025-15385Shared CWE-345
CVE-2026-2428Shared CWE-345
CVE-2026-33143Shared CWE-345

Affected Assets

cohesity
tranzman
4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires cryptographic signing and verification of patch files before installation, directly blocking crafted unauthenticated uploads that lead to code execution.

preventdetect

Mandates integrity verification of software/firmware (including patches) using digital signatures or hashes, preventing execution of malicious files exploiting CWE-345.

prevent

Enforces validation of all input data (file contents, format, and metadata) during patch uploads, mitigating arbitrary file upload vectors that bypass authenticity checks.

References