CVE-2026-25108

What is Soliton FileZen?

Soliton Systems K.K. is a Japanese IT security and networking company. FileZen is their secure managed file transfer (MFT) appliance, widely deployed in Japanese enterprises and government agencies for regulated document exchange. FileZen provides web-based file upload and download for business-to-business file sharing, acting as a secure drop point for large file transfers that cannot be sent via email. Because FileZen handles sensitive business documents and is accessible from the internet, it is a high-value target — compromising it can expose confidential business files and provide a foothold in the corporate network.

Overview

CVE-2026-25108 is an OS command injection vulnerability (CWE-78) in Soliton FileZen. When a logged-in user sends a specially crafted HTTP request and the Antivirus Check Option is enabled, FileZen fails to sanitize user input before passing it to an OS command. An authenticated attacker (requiring only a standard user account) can inject arbitrary shell commands, achieving remote code execution on the FileZen appliance. The vulnerability affects FileZen V4.2.1–V4.2.8 and V5.0.0–V5.0.10. Soliton received multiple reports of real-world damage from attackers exploiting this flaw.

Affected Versions

Important: The vulnerability is only exploitable when the Antivirus Check Option is enabled in FileZen's configuration. Organizations with this feature disabled are not vulnerable to this specific CVE.

Technical Details

The vulnerability (CWE-78: Improper Neutralization of Special Elements Used in an OS Command) is in FileZen's antivirus scan handler. When the Antivirus Check Option is active, FileZen passes uploaded file metadata or user-supplied parameters to an OS-level antivirus scanning command. The handler fails to properly sanitize or quote user input before constructing the command string, allowing injection of shell metacharacters (e.g., ;, |, backticks) that the underlying shell interpreter executes as separate commands.

The attack requires low-privilege local authentication (a standard FileZen user account), lowering the bar for exploitation — any legitimate user of the file transfer service, or an attacker who has obtained credentials via phishing, can exploit the vulnerability. No special privileges or additional user interaction are required beyond the initial login and HTTP request.

Discovery

Reported by Soliton Systems K.K. through JPCERT/CC's Information Security Early Warning Partnership (coordinated disclosure program). Published as JVN#84622767 and JVNDB-2026-000023.

Exploitation Context

Confirmed active exploitation in the wild. Soliton received multiple reports of damage from attackers abusing the flaw, indicating widespread real-world attacks rather than isolated incidents. Exploitation activity is concentrated in Japan, where FileZen has significant market presence. Reported incidents include suspected links to a ransomware attack affecting Washington Hotel Japan. CISA added the vulnerability to the KEV catalog on 24 February 2026, the same day NVD was updated — one of the fastest KEV additions for a Japanese appliance vendor, reflecting the severity and confirmed exploitation.

Remediation

1. Upgrade FileZen to V5.0.11 immediately — this is the only patched version. V4.x users must upgrade to V5.0.11 (no V4.x patch exists).
2. If upgrade is not immediately possible, disable the Antivirus Check Option in FileZen's administration console as an interim mitigation — the vulnerability requires this option to be enabled.
3. Review FileZen logs for unusual command patterns, unexpected process executions, or anomalous HTTP requests from authenticated sessions — particularly in the antivirus scan request path.
4. Rotate all FileZen user credentials — if exploitation is suspected, assume all stored files and credentials are compromised.
5. Restrict FileZen network access — ensure the appliance is not directly internet-accessible without authentication enforcement; consider placing it behind a WAF with anomaly detection.
6. Audit all uploaded files on the FileZen instance for potential web shells or malicious content planted by an attacker.
7. File a security incident report with JPCERT/CC if you observe exploitation indicators — Japan's coordinated vulnerability reporting infrastructure is active on this CVE.