CVE-2025-67840
Published: 03 March 2026
Summary
CVE-2025-67840 is a high-severity OS Command Injection (CWE-78) vulnerability in Cohesity Tranzman. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated command injection in public web app directly enables T1190 exploitation for RCE; results in arbitrary Unix shell command execution (T1059.004) with root privileges (T1068).
NVD Description
Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). The appliance directly concatenates user-controlled parameters into system commands without sufficient sanitisation,…
more
allowing an authenticated admin user to inject and execute arbitrary OS commands with root privileges. An attacker can intercept legitimate requests (e.g. during job creation or execution) using a proxy and modify parameters to include shell metacharacters, achieving remote code execution on the appliance. This completely bypasses the intended CLISH restricted shell confinement and results in full system compromise. The vulnerabilities persist in Release 4.0 Build 14614 including the latest patch (as of the time of testing) TZM_1757588060_SEP2025_FULL.depot.
Deeper analysisAI
CVE-2025-67840 describes multiple authenticated OS command injection vulnerabilities (CWE-78) in the Cohesity (formerly Stone Ram) TranZman 4.0 web application, affecting API endpoints including the Scheduler and Actions pages from Build 14614 through the patch TZM_1757588060_SEP2025_FULL.depot. The appliance directly concatenates user-controlled parameters into system commands without sufficient sanitization. Published on 2026-03-03, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
An authenticated administrator can exploit these vulnerabilities by intercepting legitimate requests, such as those during job creation or execution, using a proxy to modify parameters and inject shell metacharacters. This enables execution of arbitrary OS commands with root privileges, resulting in remote code execution on the appliance. The flaws completely bypass the CLISH restricted shell confinement, leading to full system compromise.
Advisory details and proof-of-concept exploits are documented by researcher Greg Durys in a GitHub repository at https://github.com/GregDurys/Cohesity-TranZman-CVEs and a related gist at https://gist.github.com/GregDurys/ef7fc6a36646df927374bba8e7279270. The Cohesity website at https://cohesity.com serves as an additional reference, though the vulnerabilities persist in Release 4.0 Build 14614 including the latest tested patch TZM_1757588060_SEP2025_FULL.depot.
Details
- CWE(s)