CVE-2025-67840

Name of the Vulnerable Software and Affected Versions Cohesity TranZman versions 4.0 Build 14614 through TZM 1757588060 SEP2025 FULL.depot

Description The software contains authenticated OS command injection flaws in its web application API endpoints, including the Scheduler and Actions pages. The appliance concatenates user-controlled parameters into system commands without proper sanitisation, enabling an authenticated administrator to inject and execute arbitrary OS commands with root privileges. An attacker can modify parameters in legitimate requests, such as those during job creation or execution, using a proxy to include shell metacharacters, leading to remote code execution on the appliance. This bypasses the CLISH restricted shell confinement, resulting in full system compromise. The issue persists even with the latest patch available as of the time of testing, TZM 1757588060 SEP2025 FULL.depot.

Recommendations Versions 4.0 Build 14614 through TZM 1757588060 SEP2025 FULL.depot: At the moment, there is no information about a newer version that contains a fix for this vulnerability.