CVE-2025-63912
Published: 03 March 2026
Summary
CVE-2025-63912 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Cohesity Tranzman. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-28 (Protection of Information at Rest).
Deeper analysis
CVE-2025-63912 is a vulnerability in the Cohesity TranZman Migration Appliance Release 4.0 Build 14614, where a weak cryptography algorithm (CWE-327) is used for data encryption. This flaw enables attackers to trivially reverse the encryption and expose credentials. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from network-based attacks.
Remote attackers require no privileges or user interaction to exploit this vulnerability. Successful exploitation allows them to decrypt protected data and retrieve sensitive credentials stored within the appliance.
Further details, including potential mitigation guidance, are available in the following references: https://gist.github.com/GregDurys/4c2765d76272cda64dfc78f7a75a9251 and https://github.com/GregDurys/Cohesity-TranZman-CVEs.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208244
Vulnerability details
Cohesity TranZman Migration Appliance Release 4.0 Build 14614 was discovered to use a weak cryptography algorithm for data encryption, allowing attackers to trivially reverse the encyption and expose credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak crypto (CWE-327) in network-accessible appliance directly enables remote unauthenticated decryption of stored credentials (T1190 + T1552).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires approved cryptographic algorithms and prohibits weak algorithms such as the one used in CVE-2025-63912 for protecting credentials.
Mandates cryptographic protection of information at rest, directly preventing exposure of stored credentials via weak encryption on the appliance.
Requires secure management and protection of authenticators, which would be undermined by the weak encryption flaw allowing credential exposure.