Cyber Posture

CVE-2025-63911

HighPublic PoCRCE

Published: 03 March 2026

Published
03 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0023 45.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63911 is a high-severity OS Command Injection (CWE-78) vulnerability in Cohesity Tranzman. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-27 Platform-independent Applications
addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

SI-10 Information Input Validation
addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

Authenticated remote OS command injection (CWE-78) directly enables exploitation of the public-facing appliance for initial access and arbitrary command execution via shell interpreters.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Cohesity TranZman Migration Appliance Release 4.0 Build 14614 was discovered to contain an authenticated command injection vulnerability.

Deeper analysisAI

CVE-2025-63911 is an authenticated command injection vulnerability (CWE-78) in Cohesity TranZman Migration Appliance Release 4.0 Build 14614. The issue allows injection of operating system commands through an authenticated interface. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-03T18:16:23.773.

A high-privileged user (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and no user interaction required (UI:N). Successful exploitation enables arbitrary command execution on the appliance, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged security scope (S:U).

Mitigation details, including any available patches or advisories, are provided in the following references: https://gist.github.com/GregDurys/8b7a3022c04b6cee8c1e1af04f5671b2 and https://github.com/GregDurys/Cohesity-TranZman-CVEs. Security practitioners should consult these sources for vendor-specific remediation guidance.

Details

CWE(s)
CWE-78

Affected Products

cohesity
tranzman
4.0

CVEs Like This One

CVE-2025-67840Same product: Cohesity Tranzman
CVE-2025-63910Same product: Cohesity Tranzman
CVE-2025-63912Same product: Cohesity Tranzman
CVE-2025-63909Same product: Cohesity Tranzman
CVE-2025-36604Shared CWE-78
CVE-2025-61304Shared CWE-78
CVE-2026-22901Shared CWE-78
CVE-2026-25108Shared CWE-78
CVE-2025-54795Shared CWE-78
CVE-2026-1345Shared CWE-78

References