Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.2
Cohesity TranZman API Allows Authorized Users to Execute Unintended System Commands
CVE-2025-67840
Summary
A security issue in Cohesity TranZman's API allows authorized users to execute unintended system commands, potentially leading to full system compromise if an attacker intercepts and modifies legitimate requests. This issue affects all versions of the software up to and including the latest patched version. To protect your system, update to the latest patched version or apply additional security measures to prevent unauthorized access.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| cohesity | tranzman | 4.0 | – |
Original title
Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoin...
Original description
Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). The appliance directly concatenates user-controlled parameters into system commands without sufficient sanitisation, allowing an authenticated admin user to inject and execute arbitrary OS commands with root privileges. An attacker can intercept legitimate requests (e.g. during job creation or execution) using a proxy and modify parameters to include shell metacharacters, achieving remote code execution on the appliance. This completely bypasses the intended CLISH restricted shell confinement and results in full system compromise. The vulnerabilities persist in Release 4.0 Build 14614 including the latest patch (as of the time of testing) TZM_1757588060_SEP2025_FULL.depot.
nvd CVSS3.1
7.2
Vulnerability type
CWE-78
OS Command Injection
- https://cohesity.com Product
- https://gist.github.com/GregDurys/ef7fc6a36646df927374bba8e7279270 Exploit Third Party Advisory
- https://github.com/GregDurys/Cohesity-TranZman-CVEs Third Party Advisory
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026