CVE-2025-67840 identifies multiple authenticated OS command injection vulnerabilities in the Cohesity TranZman 4.0 Build 14614 appliance, specifically within its web application API endpoints such as Scheduler and Actions pages. The root cause is the direct concatenation of user-controlled parameters into system commands without adequate sanitization, enabling an authenticated administrator to inject shell metacharacters and execute arbitrary commands on the underlying operating system with root privileges. The attack vector involves intercepting legitimate API requests—such as those made during job creation or execution—via a proxy and modifying parameters to include malicious payloads. This bypasses the intended CLISH restricted shell confinement mechanism, which is designed to limit command execution scope, resulting in full system compromise. The vulnerability remains present even after applying the latest patch available at the time of testing (TZM_1757588060_SEP2025_FULL.depot). The CVSS v3.1 base score is 7.2, reflecting high severity due to the high impact on confidentiality, integrity, and availability, combined with low attack complexity and the requirement for authenticated privileged access. No public exploits have been reported yet, but the nature of the vulnerability makes it a critical risk for organizations relying on this appliance for backup and storage management. The underlying CWE is CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

The vulnerability allows an authenticated administrator to execute arbitrary OS commands with root privileges on the Cohesity TranZman appliance, leading to complete system compromise. This can result in unauthorized data access, data manipulation, deletion, or disruption of backup and storage services critical to organizational operations. The compromise of backup infrastructure can severely affect disaster recovery capabilities and data integrity. Attackers gaining root access could also pivot to other parts of the network, escalate privileges, or deploy persistent malware. Since the appliance is typically used in enterprise environments for data protection, the impact extends to loss of confidentiality, integrity, and availability of critical business data. The requirement for authenticated admin access limits exposure but does not eliminate risk, especially if credential theft or insider threat scenarios occur. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation attempts.

Organizations should immediately review and restrict administrative access to the Cohesity TranZman appliance, enforcing strong authentication and monitoring for suspicious admin activity. Network segmentation should isolate the appliance from untrusted networks to reduce interception risks. Since the vulnerability persists in the latest patch at the time of testing, organizations should engage with Cohesity support to obtain updates or workarounds addressing this issue. In the interim, administrators should avoid using vulnerable API endpoints or limit their usage to trusted environments. Implementing strict input validation and sanitization on all user-supplied parameters is critical; if possible, disable or restrict features that allow command execution via the web interface. Employ network-level protections such as TLS interception prevention and use of secure management channels to prevent request tampering. Regularly audit appliance logs for anomalous commands or access patterns. Finally, prepare incident response plans for potential exploitation scenarios involving this vulnerability.