CVE-2025-67840 - Vulnerability Analysis
HighCVSS: 7.2Last Updated: March 5, 2026
Cohesity TranZman - OS Command Injection
Published: March 3, 2026Updated: March 5, 2026PoC AvailableRemote Exploitable
Overview
Cohesity TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot contains authenticated OS command injection caused by unsanitized user parameters in API endpoints, letting authenticated admin users execute arbitrary commands as root, exploit requires admin authentication.
Severity & Score
Severity: High
CVSS Score: 7.2
Impact
Authenticated admin users can execute arbitrary OS commands as root, leading to full system compromise.
Mitigation
Update to a fixed version beyond 4.0 Build 14614 or apply vendor patches when available.
References
Related Resources
Details
- CVE ID
- CVE-2025-67840
- Severity
- High
- CVSS Score
- 7.2
- Type
- command_injection
- Status
- confirmed
CWE
- CWE-78
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H