CISA flags exploited FileZen command injection bug, patch now! (CVE-2026-25108)

CISA has added CVE-2026-25108, an OS command injection vulnerability in Soliton Systems’ FileZen secure file transfer solution, to its Known Exploited Vulnerabilities (KEV) catalog.

The vendor has confirmed active exploitation, stating it has received multiple reports of damage caused by attackers abusing the flaw.

Because public disclosures from the Japanese CERT Coordination Center (JPCERT/CC) and a ransomware incident reported by Japan’s Washington Hotel occurred around the same time, there has been speculation that CVE-2026-25108 may have been used to deploy ransomware against organizations.

However, the KEV listing itself does not indicate that the vulnerability is currently linked to ransomware activity.

About CVE-2026-25108

The appliance-based FileZen file-sharing server is developed and sold by Tokyo-based Soliton Systems to businesses and government agencies.

The solution enables secure, authorized transfers of large files between segregated networks and provides content sanitization, antivirus scanning, and comprehensive audit logging.

CVE-2026-25108 allows remote, authenticated attackers to inject commands via a specially crafted HTTP request into a specific field on the screen after logging in (either by using compromised login credentials for a low-level account or by guessing them).

The vulnerability affects both the physical and virtual versions of FileZen, and is exploitable only if antivirus scanning is enabled. It does not affect FileZen S.

CVE-2026-25108 affects FileZen v5.0.0 to v5.0.10 and v4.2.1 to v4.2.8. Customers are urged to upgrade to v5.0.11 or later. CISA has ordered US federal civilian agencies to mitigate the vulnerability by March 17, 2026.

Japan’s CERT notes that FileZen includes a file-monitoring feature for its system directory, meaning that if those files are altered, the activity may be recorded in the logs. Customers are advised to contact the vendor for guidance on how to review and interpret those logs.

In addition, organizations should examine logs for signs of unauthorized access using compromised accounts. If evidence of such activity is identified, they should consider resetting passwords for all accounts as a precaution.

This is not the first time attackers exploited a zero-day vulnerability in FileZen.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!