Introduction to FileZen Vulnerability
CISA has added a critical OS command injection vulnerability, CVE-2026-25108, found in Soliton Systems’ FileZen secure file transfer solution, to its Known Exploited Vulnerabilities catalog. The vendor has confirmed active exploitation, stating it has received multiple reports of damage caused by attackers abusing the flaw.
However, the KEV listing itself does not indicate that the vulnerability is currently linked to ransomware activity. Meanwhile, public disclosures from the Japanese CERT Coordination Center and a ransomware incident reported by Japan’s Washington Hotel occurred around the same time, sparking speculation about the potential link to ransomware attacks.
Understanding CVE-2026-25108
The appliance-based FileZen file-sharing server, developed and sold by Tokyo-based Soliton Systems to businesses and government agencies, enables secure, authorized transfers of large files between segregated networks. It provides content sanitization, antivirus scanning, and comprehensive audit logging.
CVE-2026-25108 allows remote, authenticated attackers to inject commands via a specially crafted HTTP request into a specific field on the screen after logging in, either by using compromised login credentials for a low-level account or by guessing them. Therefore, it is crucial to ensure the security of login credentials to prevent such attacks.
Affected Versions and Mitigation
The vulnerability affects both the physical and virtual versions of FileZen, but only if antivirus scanning is enabled. It does not affect FileZen S. Additionally, it affects FileZen v5.0.0 to v5.0.10 and v4.2.1 to v4.2.8. Customers are urged to upgrade to v5.0.11 or later to mitigate the vulnerability.
CISA has ordered US federal civilian agencies to mitigate the vulnerability by March 17, 2026. Japan’s CERT notes that FileZen includes a file-monitoring feature for its system directory, meaning that if those files are altered, the activity may be recorded in the logs. Customers are advised to contact the vendor for guidance on how to review and interpret those logs.
Recommendations for Organizations
Organizations should examine logs for signs of unauthorized access using compromised accounts. If evidence of such activity is identified, they should consider resetting passwords for all accounts as a precaution. Furthermore, regularly monitoring system logs can help detect potential security breaches early on.
For example, implementing a robust log monitoring system can provide valuable insights into system activities. Meanwhile, ensuring that all software and systems are up-to-date with the latest security patches is essential for preventing exploitation of known vulnerabilities.
Conclusion and Call to Action
In conclusion, the exploited FileZen command injection bug is a critical vulnerability that requires immediate attention from organizations using the FileZen secure file transfer solution. By upgrading to the latest version and following the recommendations outlined above, organizations can significantly reduce the risk of exploitation.
Finally, staying informed about the latest cybersecurity threats and vulnerabilities is crucial for maintaining the security of your organization’s systems and data. We recommend checking the official CISA website for updates on the KEV catalog and following best practices for cybersecurity.
Frequently Asked Questions
- What is CVE-2026-25108, and how does it affect FileZen users?
CVE-2026-25108 is an OS command injection vulnerability in Soliton Systems’ FileZen secure file transfer solution. It allows remote, authenticated attackers to inject commands via a specially crafted HTTP request, potentially leading to unauthorized access and data breaches.
- How can I mitigate the vulnerability in my organization?
To mitigate the vulnerability, upgrade your FileZen version to v5.0.11 or later. Additionally, ensure that antivirus scanning is disabled until the update is applied, and monitor system logs for signs of unauthorized access.
- What is the impact of the vulnerability on my organization’s security?
The vulnerability can lead to unauthorized access, data breaches, and potential ransomware attacks if exploited. Therefore, it is essential to take immediate action to mitigate the vulnerability and ensure the security of your organization’s systems and data.
- How can I stay informed about the latest cybersecurity threats and vulnerabilities?
Stay informed by checking the official CISA website for updates on the KEV catalog, following cybersecurity news, and implementing a robust cybersecurity strategy that includes regular software updates, log monitoring, and employee training.
- What is the role of antivirus scanning in the vulnerability?
The vulnerability is only exploitable if antivirus scanning is enabled. Therefore, disabling antivirus scanning until the update is applied can help mitigate the vulnerability.








