Cohesity TranZman Web API Command Injection Vulnerability

A high-severity OS command injection vulnerability has been identified in the Cohesity TranZman Migration Appliance, specifically in Release 4.0 Build 14614, including the latest patch as of testing. This vulnerability exists within the web application API endpoints, particularly the Scheduler and Actions pages. The issue arises because the application directly concatenates user-controlled input into system commands without adequate sanitization. As a result, an authenticated admin user can inject and execute arbitrary OS commands with root privileges. Exploitation can be achieved by intercepting and modifying legitimate requests to include shell metacharacters, thereby executing commands on the appliance. This exploitation bypasses the intended CLISH restricted shell confinement, leading to a complete system compromise.

Impact

Exploitation of this vulnerability allows authenticated administrators to execute arbitrary commands as root, bypassing the CLISH restricted shell and compromising the entire system. Additionally, it exposes all backup metadata and credentials stored on the appliance.

Reproduction

To reproduce this vulnerability, log into the TranZman web application as an admin. Navigate to the Scheduler or Actions page and intercept the request using a web proxy. Modify the parameters to include shell metacharacters or commands, then send the request. The injected command will be executed on the appliance with root privileges, providing a reverse shell to the attacker.

Remediation

Cohesity has released patches for this vulnerability. Users should apply the patches in the following order: `TZM_patch_1.patch` followed by `TZM_1760106063_OCT2025R2_FULL.depot`. For the latest OVA version with integrated fixes, contact Cohesity support.