Cohesity TranZman Migration Appliance Unsigned Patch Upload Vulnerability Allowing Arbitrary Code Execution

A vulnerability allowing authenticated administrators to upload unsigned patch files has been identified in Cohesity TranZman Migration Appliance Release 4.0 Build 14614. This flaw enables the execution of arbitrary code with root privileges. The issue arises because the patch management system accepts and executes uploaded patches without verifying their authenticity or content. Exploitation involves modifying a legitimate vendor patch to include malicious code, which is then executed when the patch is applied.

Impact

Exploitation of this vulnerability leads to arbitrary code execution with root privileges on the TranZman appliance. Additionally, it poses a supply chain risk, as malicious patches could be distributed to multiple appliances, creating a software supply chain vector. The vulnerability also allows for persistence, as modified patches can establish backdoors by altering system files, resulting in a full compromise of the TranZman appliance.

Reproduction

To reproduce this vulnerability, an authenticated administrator can upload a crafted patch file through the TranZman web interface. The patch management system does not verify the signature or authenticity of the uploaded file. Once the patch is uploaded, it can be applied using the application's patch management features, executing any embedded malicious code with root privileges.

Remediation

Cohesity has released patches for this vulnerability. Administrators should apply the following updates in order: 1. 'TZM_patch_1.patch' 2. 'TZM_1760106063_OCT2025R2_FULL.depot'. For the latest OVA version with integrated fixes, contact Cohesity support.