The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Soliton Systems K.K.’s FileZen secure file transfer platform to its Known Exploited Vulnerabilities (KEV) Catalog. This inclusion is based on evidence that the flaw is already being exploited in real-world attacks.

The issue, tracked as CVE-2026-25108, is an operating system command injection vulnerability with a high severity score of 8.7 under the CVSS v4 scale. When certain conditions are met, an authenticated user can send specially crafted HTTP requests that allow execution of arbitrary OS-level commands on the FileZen server.

How it works:

• This flaw is triggered only if the Antivirus Check Option (BitDefender-based scanning) is enabled in FileZen.
• An attacker must already have valid credentials (either through compromise or guessed login details) to access the FileZen interface before exploiting the bug. Once authenticated, they can inject malicious commands because input is not properly sanitized before being passed to the operating system.

Affected Versions and Mitigation:

• FileZen versions 4.2.1 to 4.2.8 and 5.0.0 to 5.0.10 are vulnerable.
• Upgrading to version 5.0.11 or later eliminates the vulnerability.
• CISA has set a remediation deadline (for federal agencies) due March 17, 2026, and strongly recommends organizations using FileZen apply the update promptly.

Impact:
The active exploitation of this vulnerability demonstrates that attackers are already leveraging it in the wild, potentially compromising systems where FileZen is deployed without mitigation.