CISA has officially confirmed that a serious security flaw in FileZen, a popular file transfer product, is being actively exploited by attackers. The vulnerability has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, which means cybercriminals are already using it in real-world attacks.
This development makes the issue urgent for organizations that use FileZen, especially government agencies and businesses handling sensitive data. Security teams are strongly advised to apply fixes as soon as possible to avoid system compromise.
The vulnerability is tracked as CVE-2026-25108 and has received a CVSS v4 score of 8.7, placing it in the high-severity category. This score reflects the serious risk the flaw poses to affected systems.
CVE-2026-25108 is an operating system (OS) command injection vulnerability. In simple terms, this means an attacker can send specially crafted requests to the FileZen server and trick it into running harmful commands on the underlying operating system.
Once exploited, attackers could potentially:
Execute unauthorized system commands
Modify or delete files
Access sensitive information
Take control of affected servers
According to CISA, the vulnerability can be exploited by an authenticated user, meaning the attacker needs valid login credentials. While this may sound less severe, it still represents a major risk.
In many cases, attackers gain access to valid accounts through:
Stolen credentials
Weak passwords
Phishing attacks
Compromised insider accounts
Once logged in, the attacker can send a specially crafted HTTP request that triggers the OS command injection flaw.
CISA described the issue as follows:
“Soliton Systems K.K FileZen contains an OS command injection vulnerability when a user logs in to the affected product and sends a specially crafted HTTP request.”
According to information published in the Japan Vulnerability Notes (JVN), the following FileZen versions are vulnerable:
FileZen versions 4.2.1 to 4.2.8
FileZen versions 5.0.0 to 5.0.10
Any organization using these versions should consider their systems at risk and take immediate action.
The vendor, Soliton Systems K.K, confirmed that the vulnerability can only be exploited when the FileZen Antivirus Check Option is enabled.
However, this does not significantly reduce the risk. Antivirus scanning is commonly enabled in enterprise environments, especially where secure file transfers are required.
More importantly, Soliton Systems revealed that it has already received at least one report of real damage caused by attackers exploiting this vulnerability. This confirms that the threat is not theoretical.
To successfully exploit CVE-2026-25108, an attacker must:
Log in to the FileZen web interface
Have at least general user privileges
Send a specially crafted HTTP request
Even limited user access is enough to launch an attack. This makes shared or low-privilege accounts a serious security concern.
Once the vulnerability is exploited, attackers could move deeper into the network, escalate privileges, or deploy additional malware.
Soliton Systems has released a fix for this vulnerability. All users are strongly advised to upgrade to FileZen version 5.0.11 or later.
In addition to upgrading, the company recommends taking extra precautions:
-
Change all user passwords, especially if compromise is suspected
-
Review logs for unusual login or command activity
-
Disable unused user accounts
-
Limit user privileges where possible
Soliton Systems warned:
“If you have been attacked or suspect that you have been victimized by this vulnerability, please consider not only updating to V5.0.11 or later, but also changing all user passwords as a precaution.”
Because the vulnerability is listed in the KEV catalog, Federal Civilian Executive Branch (FCEB) agencies in the United States are required to act quickly.
CISA has set a mandatory remediation deadline of March 17, 2026. By this date, all affected agencies must apply the necessary security updates or take mitigating actions to protect their networks.
Failure to comply could expose critical government systems to attack and increase the risk of data breaches or service disruptions.
When CISA adds a vulnerability to the Known Exploited Vulnerabilities catalog, it signals three important things:
-
The vulnerability is being exploited in the wild
-
Proof of exploitation exists
-
Organizations should treat it as a top security priority
Security teams often use the KEV catalog to guide patching decisions, making this listing a strong indicator that CVE-2026-25108 should not be ignored.
The active exploitation of FileZen CVE-2026-25108 highlights once again how quickly attackers take advantage of newly disclosed vulnerabilities. Even flaws that require authentication can lead to serious damage if left unpatched.
Organizations using FileZen should immediately check their versions, apply updates, and review security controls. Prompt action can prevent unauthorized access, system compromise, and costly incidents.
Interesting Article : Cline CLI 2.3.0 Compromised in npm Supply Chain Attack