Cohesity TranZman Migration Appliance - 5 CVEs (command injection, LPE, unsigned patches, weak crypto)
嗯,用户让我帮忙总结一篇文章的内容,控制在100个字以内,而且不需要特定的开头。我先看看这篇文章是什么内容。 文章是关于Cohesity TranZman Migration Appliance的五个漏洞披露。作者Greg Durys发现了五个CVE,包括命令注入、本地权限提升、未签名补丁上传和弱加密等问题。每个漏洞都有CVSS评分,影响版本是4.0 Build 14614,已经报告给厂商,并提供了修复补丁和详细的技术文档链接。 我需要把这些信息浓缩到100字以内。首先,点明设备名称和漏洞数量。然后列出主要漏洞类型:命令注入、权限提升、补丁上传问题和加密弱点。最后提到影响版本和修复建议。 要注意用词简洁,避免重复。比如“命令注入”可以涵盖多个CVE,不需要每个都单独提。同时,要确保关键信息如CVSS评分和修复措施都包含进去。 可能的结构是:设备名称 + 漏洞数量 + 主要问题类型 + 影响版本 + 修复建议。这样既全面又简洁。 再检查一下字数,确保不超过限制。可能需要调整句子结构,删减不必要的细节。 最终总结应该清晰明了,让读者快速了解文章的核心内容。 </think> Cohesity TranZman Migration Appliance(版本4.0 Build 14614)被披露存在五个安全漏洞,包括命令注入、本地权限提升、未签名补丁上传及弱加密等问题,影响设备安全性和数据隐私。已提供修复补丁和详细技术文档。 2026-3-12 21:58:57 Author: seclists.org(查看原文) 阅读量:1 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: GregD via Fulldisclosure <fulldisclosure () seclists org>
Date: Sun, 08 Mar 2026 11:18:05 +0000
Hi,

I'm disclosing five vulnerabilities discovered during an authorised 
security assessment of the Cohesity TranZman Migration Appliance 
(formerly Stone Ram TranZman), Release 4.0 Build 14614.

CVE-2025-67840 - Web API Command Injection (CVSS 7.2 High)
The /api/v1/scheduler/run and /api/v1/actions/run endpoints allow 
authenticated administrators to execute arbitrary commands as root by 
injecting into POST request parameters. Input is not properly sanitised 
before being passed to system commands.

CVE-2025-63911 - CLISH Command Injection (CVSS 7.2 High)
Multiple command injection vectors exist in the CLISH restricted shell, 
allowing authenticated users to escape the restricted environment and 
gain elevated command execution via local privilege escalation.

CVE-2025-63909 - Local Privilege Escalation (CVSS 7.2 High)
Incorrect access control in /opt/SRLtzm/bin/TapeDumper allows 
authenticated users to escalate privileges to root.

CVE-2025-63910 - Unsigned Patch Upload (CVSS 7.2 High)
The patch upload mechanism does not verify signatures, allowing remote 
code execution via crafted patch files.

CVE-2025-63912 - Weak Cryptography / Static XOR (CVSS 5.5 Medium)
The TranZman FTP service (port 55555/TCP) uses XOR with a static, 
hardcoded key instead of proper encryption. An attacker who can
observe network traffic can decrypt the entire control channel - 
exposing credentials, commands, and backup filenames - and forge or 
replay commands to retrieve or tamper with files in transit.

Affected versions: Release 4.0 Build 14614 including patch
TZM_1757588060_SEP2025_FULL.depot

Vendor timeline:
- 26 September 2025: Reported to Cohesity
- 20 October 2025: Cohesity confirmed patches available
- 25 December 2025: 90-day embargo ended
- 27 December 2025: Public disclosure

Patches: Apply TZM_patch_1.patch followed by
TZM_1760106063_OCT2025R2_FULL.depot. Contact Cohesity support
for the latest OVA with integrated fixes.

Full advisories with techincal details:
https://github.com/GregDurys/Cohesity-TranZman-CVEs

Individual advisories (Gists):
https://gist.github.com/GregDurys/ef7fc6a36646df927374bba8e7279270
https://gist.github.com/GregDurys/d402038147e36de5908159d9722072ef
https://gist.github.com/GregDurys/74c36c36bef81293a42022758f2736a9
https://gist.github.com/GregDurys/8b7a3022c04b6cee8c1e1af04f5671b2
https://gist.github.com/GregDurys/4c2765d76272cda64dfc78f7a75a9251

Regards,
Greg Durys

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • Cohesity TranZman Migration Appliance - 5 CVEs (command injection, LPE, unsigned patches, weak crypto) GregD via Fulldisclosure (Mar 12)

文章来源: https://seclists.org/fulldisclosure/2026/Mar/3
如有侵权请联系:admin#unsafe.sh