Cyber Resilience

CVE-2025-67840

HighPublic PoCRCE

Published: 03 March 2026

Published
03 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 17.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67840 is a high-severity OS Command Injection (CWE-78) vulnerability in Cohesity Tranzman. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-67840 describes multiple authenticated OS command injection vulnerabilities (CWE-78) in the Cohesity (formerly Stone Ram) TranZman 4.0 web application, affecting API endpoints including the Scheduler and Actions pages from Build 14614 through the patch TZM_1757588060_SEP2025_FULL.depot. The appliance directly concatenates user-controlled parameters into system commands without sufficient sanitization. Published on 2026-03-03, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

An authenticated administrator can exploit these vulnerabilities by intercepting legitimate requests, such as those during job creation or execution, using a proxy to modify parameters and inject shell metacharacters. This enables execution of arbitrary OS commands with root privileges, resulting in remote code execution on the appliance. The flaws completely bypass the CLISH restricted shell confinement, leading to full system compromise.

Advisory details and proof-of-concept exploits are documented by researcher Greg Durys in a GitHub repository at https://github.com/GregDurys/Cohesity-TranZman-CVEs and a related gist at https://gist.github.com/GregDurys/ef7fc6a36646df927374bba8e7279270. The Cohesity website at https://cohesity.com serves as an additional reference, though the vulnerabilities persist in Release 4.0 Build 14614 including the latest tested patch TZM_1757588060_SEP2025_FULL.depot.

EU & UK References

Vulnerability details

Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). The appliance directly concatenates user-controlled parameters into system commands without sufficient sanitisation,…

more

allowing an authenticated admin user to inject and execute arbitrary OS commands with root privileges. An attacker can intercept legitimate requests (e.g. during job creation or execution) using a proxy and modify parameters to include shell metacharacters, achieving remote code execution on the appliance. This completely bypasses the intended CLISH restricted shell confinement and results in full system compromise. The vulnerabilities persist in Release 4.0 Build 14614 including the latest patch (as of the time of testing) TZM_1757588060_SEP2025_FULL.depot.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Authenticated command injection in public web app directly enables T1190 exploitation for RCE; results in arbitrary Unix shell command execution (T1059.004) with root privileges (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-63911Same product: Cohesity Tranzman
CVE-2025-63909Same product: Cohesity Tranzman
CVE-2025-63912Same product: Cohesity Tranzman
CVE-2025-63910Same product: Cohesity Tranzman
CVE-2025-56102Shared CWE-78
CVE-2025-20029Shared CWE-78
CVE-2026-28774Shared CWE-78
CVE-2026-30809Shared CWE-78
CVE-2025-56077Shared CWE-78
CVE-2026-28773Shared CWE-78

Affected Assets

cohesity
tranzman
4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input parameters before they are concatenated into OS commands, blocking the CWE-78 injection vector at the Scheduler/Actions API endpoints.

prevent

Enforces least-privilege execution so that even a successful injection cannot automatically obtain root privileges or fully escape the CLISH restricted shell.

prevent

Restricts the set of allowed system commands and disables unnecessary interpreters or shell metacharacter processing that the vulnerable endpoints rely on.

References