How to fix CVE-2025-67840?

Within 24 hours: inventory all Cohesity TranZman deployments and document current versions; restrict API access to trusted networks only and disable Scheduler/Actions features if not critical. Within 7 days: implement WAF rules blocking suspicious API payloads to Scheduler and Actions endpoints; conduct audit logs for suspicious API activity. Within 30 days: contact Cohesity for patch availability and timeline; plan upgrade to patched version; consider air-gapping critical TranZman instances pending patch release.

Is Command Injection affected by CVE-2025-67840?

Cohesity TranZman installations (versions 4.0 Build 14614 through SEP2025) contain authenticated command injection vulnerabilities in web API endpoints that could allow authorized users to execute arbitrary OS commands.

CVE-2025-67840

HIGH

2026-03-03 [email protected]

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:05 vuln.today

PoC Detected

Mar 05, 2026 - 00:15 vuln.today

Public exploit code

CVE Published

Mar 03, 2026 - 18:16 nvd

HIGH 7.2

Description

Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). The appliance directly concatenates user-controlled parameters into system commands without sufficient sanitisation, allowing an authenticated admin user to inject and execute arbitrary OS commands with root privileges. An attacker can intercept legitimate requests (e.g. during job creation or execution) using a proxy and modify parameters to include shell metacharacters, achieving remote code execution on the appliance. This completely bypasses the intended CLISH restricted shell confinement and results in full system compromise. The vulnerabilities persist in Release 4.0 Build 14614 including the latest patch (as of the time of testing) TZM_1757588060_SEP2025_FULL.depot.

Analysis

Technical Context

Classified as CWE-78 (OS Command Injection). Affects Tranzman. Multiple authenticated OS command injection vulnerabilities exist in the Cohesity (formerly Stone Ram) TranZman 4.0 Build 14614 through TZM_1757588060_SEP2025_FULL.depot web application API endpoints (including Scheduler and Actions pages). The appliance directly concatenates user-controlled parameters into system commands without sufficient sanitisation, allowing an authenticated admin user to inject and execute arbitrary OS commands with root privileges. An attacker can intercept legitimate re

Affected Products

Vendor: Cohesity. Product: Tranzman. Versions: up to 4.0.

Remediation

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: +20

CVE-2025-67840 vulnerability details – vuln.today

Back

CVE-2025-67840

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-67840

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code