What is the CVSS score of CVE-2025-67840?

CVE-2025-67840 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Tranzman are affected by CVE-2025-67840?

Cohesity TranZman installations (versions 4.0 Build 14614 through SEP2025) contain authenticated command injection vulnerabilities in web API endpoints that could allow authorized users to execute…

Is there a public PoC exploit available for CVE-2025-67840?

Yes, a public proof-of-concept exploit is available for CVE-2025-67840. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-67840?

Within 24 hours: inventory all Cohesity TranZman deployments and document current versions; restrict API access to trusted networks only and disable Scheduler/Actions features if not critical. Within 7 days: implement WAF rules blocking suspicious API payloads to Scheduler and Actions endpoints; conduct audit logs for suspicious API activity. Within 30 days: contact Cohesity for patch availability and timeline; plan upgrade to patched version; consider air-gapping critical TranZman instances pending patch release.

Tranzman CVE-2025-67840

HIGH

OS Command Injection (CWE-78)

2026-03-03 cve@mitre.org

RCE Command Injection Tranzman

7.2

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.2 HIGH

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:05 vuln.today

PoC Detected

Mar 05, 2026 - 00:15 vuln.today

Public exploit code

CVE Published

Mar 03, 2026 - 18:16 nvd

HIGH 7.2

DescriptionCVE.org

Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). The appliance directly concatenates user-controlled parameters into system commands without sufficient sanitisation, allowing an authenticated admin user to inject and execute arbitrary OS commands with root privileges. An attacker can intercept legitimate requests (e.g. during job creation or execution) using a proxy and modify parameters to include shell metacharacters, achieving remote code execution on the appliance. This completely bypasses the intended CLISH restricted shell confinement and results in full system compromise. The vulnerabilities persist in Release 4.0 Build 14614 including the latest patch (as of the time of testing) TZM_1757588060_SEP2025_FULL.depot.

AnalysisAI

Technical ContextAI

Classified as CWE-78 (OS Command Injection). Affects Tranzman. Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). The appliance directly concatenates user-controlled parameters into system commands without sufficient sanitisation, allowing an authenticated admin user to inject and execute arbitrary OS commands with root privileges. An attacker can intercept legitimate re

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

CVE-2025-67840 vulnerability details – vuln.today

Back

Tranzman CVE-2025-67840

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code