The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially recognized a critical operating system command injection vulnerability in Soliton Systems K.K.’s FileZen software. This move, occurring on February 25, 2026, places the flaw, identified as CVE-2026-25108, on CISA’s Known Exploited Vulnerabilities (KEV) catalog, signifying active exploitation in the wild. The vulnerability poses a significant FileZen security risk for organizations employing the affected software.
CISA’s inclusion of CVE-2026-25108 in the KEV catalog highlights the immediate threat it presents to national security systems. The agency mandates that federal civilian executive branch agencies must implement necessary security patches by March 17, 2026, to safeguard their networks from potential compromise. This proactive measure underscores the severity of the identified software security vulnerability.
Understanding the FileZen Vulnerability (CVE-2026-25108)
CVE-2026-25108 is described as an operating system (OS) command injection flaw, carrying a CVSS v4 score of 8.7, indicating a high severity. According to information from the Japan Vulnerability Notes (JVN), this vulnerability allows an authenticated user to execute arbitrary commands on the server hosting FileZen. This is achieved through the submission of specially crafted HTTP requests, effectively bypassing intended controls.
Specifically, CISA stated that “Soliton Systems K.K FileZen contains an OS command injection vulnerability when a user logs-in to the affected product and sends a specially crafted HTTP request.” This means an attacker must first gain authenticated access to the FileZen web interface, even with general user privileges, to exploit this weakness. However, the successful execution of commands becomes possible once this access is established.
Affected FileZen Versions and Exploitation Context
The vulnerability impacts specific versions of the FileZen file transfer product. As detailed by Japan Vulnerability Notes, these include FileZen versions 4.2.1 through 4.2.8, and versions 5.0.0 through 5.0.10. Organizations using these particular iterations are at elevated risk and should prioritize updating their systems.
Soliton Systems K.K. has provided further clarification regarding the conditions for exploitation. In its official advisory, the company noted that the vulnerability can only be exploited if the FileZen Antivirus Check Option is enabled. This detail is crucial for organizations assessing their exposure. Furthermore, Soliton has indicated that it has received reports of actual damage resulting from the exploitation of this vulnerability, underscoring the reality of the threat.
Mitigation Strategies and Future Outlook
To address the critical FileZen security risk, Soliton Systems K.K. has released updated versions of its software. Users are strongly advised to update to version 5.0.11 or any subsequent releases to effectively mitigate the threat posed by CVE-2026-25108. The company also recommends additional security measures due to the nature of the attack.
Given that an attacker can log in using legitimate user credentials, Soliton suggests that in addition to updating the software, all user passwords should be changed as a precautionary measure. This recommendation aims to further limit potential unauthorized access. The mandatory deadline for federal agencies to apply these fixes by March 17, 2026, serves as a critical benchmark for the broader cybersecurity community, emphasizing the urgency in patching this known exploited vulnerability.