CVE-2025-67840 is an authenticated OS command injection vulnerability found in the Cohesity TranZman 4.0 Build 14614 appliance, specifically within its web application API endpoints such as Scheduler and Actions pages. The root cause is the direct concatenation of user-supplied parameters into system commands without adequate sanitization or validation. This insecure coding practice allows an authenticated administrator to intercept legitimate API requests—such as those involved in job creation or execution—using a proxy tool and modify parameters to include shell metacharacters. These crafted inputs enable the injection and execution of arbitrary operating system commands with root-level privileges on the appliance. The vulnerability effectively bypasses the appliance's intended CLISH restricted shell confinement, which is designed to limit command execution scope. Despite the availability of patches, the issue remains present in the latest build TZM_1757588060_SEP2025_FULL.depot at the time of testing, indicating incomplete remediation. The CVSS v3.1 base score is 7.2, reflecting high severity due to the ease of exploitation by authenticated users, the high impact on confidentiality, integrity, and availability, and the lack of user interaction requirements. No public exploits have been reported yet, but the vulnerability poses a significant risk to organizations using this appliance for data management and backup operations.

The exploitation of CVE-2025-67840 can lead to complete system compromise of the affected Cohesity TranZman appliance. Since the attacker gains root-level command execution, they can manipulate, exfiltrate, or destroy sensitive backup and data management information stored or processed by the appliance. This compromises data confidentiality and integrity, potentially disrupting critical backup and recovery operations, which can severely impact business continuity. The availability of the appliance can also be affected if malicious commands disrupt services or delete essential files. Given that the vulnerability requires authenticated admin access, the risk is heightened in environments where credential compromise or insider threats exist. Organizations relying on these appliances for enterprise data protection could face significant operational and reputational damage if exploited. Additionally, the bypass of the CLISH restricted shell means traditional containment controls are ineffective, increasing the difficulty of detection and remediation.

Organizations should immediately review and restrict administrative access to the Cohesity TranZman appliance, enforcing strong authentication and monitoring for suspicious activity. Network segmentation should isolate the appliance from untrusted networks to reduce exposure. Since the vulnerability persists in the latest available patch, organizations must engage directly with Cohesity support to obtain updated patches or workarounds addressing this issue. In the interim, administrators should avoid using vulnerable API endpoints for job creation or execution and consider disabling or limiting access to the Scheduler and Actions pages if feasible. Employing web application firewalls (WAFs) with custom rules to detect and block suspicious command injection patterns in API requests can provide additional protection. Regularly auditing logs for anomalous command executions and proxy usage is critical for early detection. Finally, organizations should implement robust credential management and consider multi-factor authentication to reduce the risk of unauthorized admin access.