Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed vulnerability in FileZen to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-25108 (CVSS v4 score: 8.7), is a case of operating system (OS) command injection that could allow an authenticated user to execute
Analysis Summary
# Vulnerability: OS Command Injection in Soliton FileZen (Active Exploitation)
## CVE Details
- CVE ID: CVE-2026-25108
- CVSS Score: 8.7 (High, based on CVSS v4)
- CWE: OS Command Injection
## Affected Systems
- Products: Soliton Systems K.K FileZen
- Versions:
- Versions 4.2.1 through 4.2.8
- Versions 5.0.0 through 5.0.10
- Configurations: Exploitation is only possible when the **FileZen Antivirus Check Option** is enabled. The attacker must be authenticated with general user privileges.
## Vulnerability Description
The vulnerability is an Operating System (OS) command injection flaw present in FileZen. An authenticated user can exploit this vulnerability by sending a specially crafted HTTP request to the web interface. Successful exploitation allows the attacker to execute arbitrary OS commands on the underlying system.
## Exploitation
- Status: **Exploited in the wild** (Added to CISA KEV catalog)
- Complexity: Implied Medium (Requires authentication)
- Attack Vector: Adjacent (Likely via the network interface used for the web service)
## Impact
- Confidentiality: Potential compromise (Execution of commands could lead to data exfiltration)
- Integrity: Potential compromise (Execution of commands could lead to system modification)
- Availability: Potential compromise (Execution of commands could lead to service disruption)
## Remediation
### Patches
- Update FileZen to **version 5.0.11 or later** to fully mitigate the threat.
### Workarounds
- If updating is not immediately possible, change all user passwords as a precaution, as an attacker could be logged in using a legitimate account due to successful exploitation. (Note: This does not fix the underlying vulnerability.)
## Detection
- **Indicators of compromise:** Monitor HTTP requests for unusual or malicious payloads directed at the FileZen web interface, particularly requests sent after successful user login. Look for unexpected command execution artifacts on the server hosting FileZen.
- **Detection methods and tools:** Utilize network monitoring and Endpoint Detection and Response (EDR) solutions to look for evidence of arbitrary command execution originating from the FileZen process following authenticated sessions.
## References
- CISA KEV Catalog Entry: (URL not provided in source)
- Soliton Advisory: hxxps://www.soliton.co.jp/support/2026/006657.html
- JVN Advisory: hxxps://jvn.jp/en/jp/JVN84622767/