Soliton FileZen OS Command Injection Under Active

Executive Summary

CISA added CVE-2026-25108 to its Known Exploited Vulnerabilities (KEV) catalog on February 24, 2026, confirming active exploitation of a critical OS command injection flaw in Soliton Systems' FileZen secure file transfer solution. The vulnerability allows an authenticated attacker to execute arbitrary operating system commands by sending specially crafted HTTP requests to the FileZen appliance. Soliton has confirmed receiving multiple reports of damage caused by attackers abusing this flaw. The vulnerability carries a CVSS v3.0 score of 8.8 (CVSS v4.0 score: 8.7). Federal agencies are required to apply mitigations by March 17, 2026.

Attribute	Value
CVE ID	CVE-2026-25108
Severity	High
CVSS v3.0 Score	8.8
CVSS v4.0 Score	8.7
CWE	CWE-78 — Improper Neutralization of Special Elements used in an OS Command
Vendor	Soliton Systems K.K.
Product	FileZen (Secure File Transfer)
CISA KEV Added	February 24, 2026
CISA Remediation Due	March 17, 2026
Exploitation Status	Actively exploited — vendor-confirmed damage reports
Authentication Required	Yes (authenticated attacker)

Technical Details

Product Background

FileZen is a Japanese-market secure file transfer appliance manufactured by Soliton Systems K.K., widely used by enterprises and government organisations in Japan for secure internal and external file sharing. Due to its network-accessible management interface, internet-facing deployments are particularly at risk.

Vulnerability Root Cause

CVE-2026-25108 is an OS command injection vulnerability (CWE-78) residing in the web management interface of FileZen. The application fails to properly sanitize user-supplied input before passing it to underlying OS command execution functions. By crafting a specially formed HTTP request to a vulnerable endpoint, an authenticated user can inject OS shell metacharacters (e.g., ;, |, &&, `) that are interpreted by the underlying system shell, causing arbitrary commands to be executed with the privileges of the web application process.

Exploitation Chain

1. Attacker obtains valid FileZen credentials
   (brute force, credential stuffing, phishing, or pre-existing access)
2. Sends crafted HTTP request to vulnerable management interface endpoint
3. User-controlled parameter is passed unsanitized to OS command function
4. Shell metacharacters cause arbitrary command execution
5. Attacker executes payload: reverse shell, credential dump, data exfil
6. FileZen file stores accessed and exfiltrated

Attack Surface

Network-accessible: The vulnerable interface is typically accessible over HTTPS on port 443
Authentication required: Reduces but does not eliminate risk — credential acquisition is straightforward for targeted attackers
Impact scope: Full OS command execution allows reading/writing all files accessible to the service account, lateral movement within the network, and persistent backdoor installation

Affected Versions

Product	Affected Version Range	Fixed Version
FileZen v5.x	v5.0.0 to v5.0.10	v5.0.11 or later
FileZen v4.x	v4.2.1 to v4.2.8	Upgrade to v5.0.11+
FileZen < v4.2.1	Legacy — unsupported	Upgrade to v5.0.11+

Note: FileZen versions earlier than 4.2.1 are end-of-life and no longer receive security updates. Operators must upgrade to v5.0.11 or later.

Indicators of Compromise

Given that FileZen is a file transfer appliance, compromise may manifest in the following ways:

Access Log Anomalies

HTTP requests to management endpoints containing shell metacharacters (;, &&, |, `, $() in parameter values
Unusual HTTP methods or oversized parameter values to /cgi-bin/ or management panel endpoints
Requests from unexpected source IP addresses to the admin interface

System-Level Indicators

Unexpected new processes spawned by the FileZen web service (e.g., sh, bash, curl, wget, nc)
New cron jobs or startup scripts not part of the standard FileZen installation
Unexpected outbound network connections from the FileZen appliance to external IPs
New user accounts created on the appliance OS
Bulk file access or download activity from the file store outside normal business hours

File Integrity

Modifications to files in /etc/, /var/www/, or FileZen's web root outside of a patch/upgrade window
Presence of webshells (.php, .cgi, .pl files) in web-accessible directories
SSH authorized_keys modified in service account home directories

Remediation

Upgrade FileZen to v5.0.11 or later immediately. This is the only complete fix for CVE-2026-25108. Apply the update following the vendor's official upgrade documentation.
Restrict network access to the FileZen management interface. If the appliance management panel does not need to be internet-accessible, block access at the perimeter firewall. Limit access to trusted management IP ranges only.
Audit active FileZen user accounts. Disable or remove any accounts that are not actively needed. Reset passwords for all accounts as a precaution given confirmed active exploitation in the wild.
Review FileZen access logs for the indicators listed above. Pay particular attention to log entries from the 30 days prior to patching to identify potential historic compromise.
Perform a full file integrity check on the FileZen appliance following the vendor's guidance. Look for unexpected file modifications or additions, particularly in web-accessible directories.
Isolate any appliance suspected of compromise from the internal network immediately and perform forensic investigation before returning to service.
Report confirmed incidents to CISA (https://www.cisa.gov/report) and, for Japanese organisations, to JPCERT/CC, as Soliton and authorities are tracking active exploitation.

References

Executive Summary

Attribute	Value
CVE ID	CVE-2026-25108
Severity	High
CVSS v3.0 Score	8.8
CVSS v4.0 Score	8.7
CWE	CWE-78 — Improper Neutralization of Special Elements used in an OS Command
Vendor	Soliton Systems K.K.
Product	FileZen (Secure File Transfer)
CISA KEV Added	February 24, 2026
CISA Remediation Due	March 17, 2026
Exploitation Status	Actively exploited — vendor-confirmed damage reports
Authentication Required	Yes (authenticated attacker)

Technical Details

Product Background

Vulnerability Root Cause

Exploitation Chain

1. Attacker obtains valid FileZen credentials
   (brute force, credential stuffing, phishing, or pre-existing access)
2. Sends crafted HTTP request to vulnerable management interface endpoint
3. User-controlled parameter is passed unsanitized to OS command function
4. Shell metacharacters cause arbitrary command execution
5. Attacker executes payload: reverse shell, credential dump, data exfil
6. FileZen file stores accessed and exfiltrated

Attack Surface

Network-accessible: The vulnerable interface is typically accessible over HTTPS on port 443
Authentication required: Reduces but does not eliminate risk — credential acquisition is straightforward for targeted attackers
Impact scope: Full OS command execution allows reading/writing all files accessible to the service account, lateral movement within the network, and persistent backdoor installation

Affected Versions

Product	Affected Version Range	Fixed Version
FileZen v5.x	v5.0.0 to v5.0.10	v5.0.11 or later
FileZen v4.x	v4.2.1 to v4.2.8	Upgrade to v5.0.11+
FileZen < v4.2.1	Legacy — unsupported	Upgrade to v5.0.11+

Note: FileZen versions earlier than 4.2.1 are end-of-life and no longer receive security updates. Operators must upgrade to v5.0.11 or later.

Indicators of Compromise

Given that FileZen is a file transfer appliance, compromise may manifest in the following ways:

Access Log Anomalies

HTTP requests to management endpoints containing shell metacharacters (;, &&, |, `, $() in parameter values
Unusual HTTP methods or oversized parameter values to /cgi-bin/ or management panel endpoints
Requests from unexpected source IP addresses to the admin interface

System-Level Indicators

Unexpected new processes spawned by the FileZen web service (e.g., sh, bash, curl, wget, nc)
New cron jobs or startup scripts not part of the standard FileZen installation
Unexpected outbound network connections from the FileZen appliance to external IPs
New user accounts created on the appliance OS
Bulk file access or download activity from the file store outside normal business hours

File Integrity

Modifications to files in /etc/, /var/www/, or FileZen's web root outside of a patch/upgrade window
Presence of webshells (.php, .cgi, .pl files) in web-accessible directories
SSH authorized_keys modified in service account home directories

Remediation

Upgrade FileZen to v5.0.11 or later immediately. This is the only complete fix for CVE-2026-25108. Apply the update following the vendor's official upgrade documentation.
Restrict network access to the FileZen management interface. If the appliance management panel does not need to be internet-accessible, block access at the perimeter firewall. Limit access to trusted management IP ranges only.
Audit active FileZen user accounts. Disable or remove any accounts that are not actively needed. Reset passwords for all accounts as a precaution given confirmed active exploitation in the wild.
Review FileZen access logs for the indicators listed above. Pay particular attention to log entries from the 30 days prior to patching to identify potential historic compromise.
Perform a full file integrity check on the FileZen appliance following the vendor's guidance. Look for unexpected file modifications or additions, particularly in web-accessible directories.
Isolate any appliance suspected of compromise from the internal network immediately and perform forensic investigation before returning to service.
Report confirmed incidents to CISA (https://www.cisa.gov/report) and, for Japanese organisations, to JPCERT/CC, as Soliton and authorities are tracking active exploitation.

Soliton FileZen OS Command Injection Under Active

Affected Products

Executive Summary

Technical Details

Product Background

Vulnerability Root Cause

Exploitation Chain

Attack Surface

Affected Versions

Indicators of Compromise

Access Log Anomalies

System-Level Indicators

File Integrity

Remediation

References

CVE-2025-53521: F5 BIG-IP APM Remote Code Execution — CISA KEV (CVSS 9.8)

CVE-2025-43510: Apple Multiple Products Improper Locking Vulnerability

CVE-2025-54068: Laravel Livewire Code Injection Vulnerability

Soliton FileZen OS Command Injection Under Active

Affected Products

Executive Summary

Technical Details

Product Background

Vulnerability Root Cause

Exploitation Chain

Attack Surface

Affected Versions

Indicators of Compromise

Access Log Anomalies

System-Level Indicators

File Integrity

Remediation

References

CVE-2025-53521: F5 BIG-IP APM Remote Code Execution — CISA KEV (CVSS 9.8)

CVE-2025-43510: Apple Multiple Products Improper Locking Vulnerability

CVE-2025-54068: Laravel Livewire Code Injection Vulnerability