CISA Adds FileZen CVE-2026-25108 to KEV After Active Exploitation

CISA added an actively exploited command injection vulnerability in Soliton Systems' FileZen file transfer appliance to its Known Exploited Vulnerabilities catalog on February 24, 2026. Federal civilian executive branch agencies now face a March 17 deadline to apply patches.

The vulnerability, tracked as CVE-2026-25108, carries a CVSS v4 score of 8.7 and allows authenticated attackers to execute arbitrary operating system commands through specially crafted HTTP requests. Soliton confirmed receiving "at least one report of damage caused by the exploitation of this vulnerability."

Technical Details

FileZen is a file-sharing and secure data transfer appliance manufactured by Japanese vendor Soliton Systems K.K. The product is popular among enterprises needing to transfer sensitive files between internal systems and external partners.

The command injection flaw exists when the FileZen Antivirus Check Option is enabled. An authenticated user can submit a malicious HTTP request that injects OS commands into the antivirus scanning process. Those commands execute with the privileges of the FileZen service account.

Affected versions:

• FileZen 4.2.1 through 4.2.8
• FileZen 5.0.0 through 5.0.10

FileZen S is not affected by this vulnerability.

Exploitation Requirements

Successful attacks require three conditions:

1. Valid credentials - The attacker must authenticate to the FileZen web interface
2. Antivirus scanning enabled - The target instance must have the Antivirus Check Option turned on
3. Crafted HTTP request - A specifically formatted request triggers the injection

The authentication requirement limits opportunistic mass exploitation. But given that file transfer appliances often sit at network perimeters and handle sensitive data, attackers with stolen credentials can quickly pivot to full system compromise.

File transfer appliances have become prime targets for threat actors. We've seen similar patterns with SolarWinds vulnerabilities and other enterprise file transfer tools that attackers exploit to stage data theft and ransomware deployment.

Why This Matters

Soliton's confirmation of real-world attacks means this isn't theoretical. Someone is actively exploiting FileZen instances right now.

File transfer appliances are high-value targets because they process sensitive documents moving between organizations. Compromising one gives attackers access to everything flowing through it, plus a foothold inside the network perimeter.

CISA's KEV catalog addition signals they have credible intelligence about exploitation. Under BOD 22-01, federal agencies must remediate KEV vulnerabilities within the specified deadline. Private sector organizations should treat KEV additions as urgent regardless of regulatory requirements.

Recommended Mitigations

Soliton released version 5.0.11 to address the vulnerability. Organizations running affected versions should:

1. Update immediately to FileZen 5.0.11 or later
2. Reset all user passwords as a precaution, since attackers accessed legitimate accounts
3. Review access logs for suspicious authentication patterns or unusual file transfers
4. Disable antivirus scanning temporarily if patching isn't immediately possible (reduces attack surface but removes malware protection)
5. Segment network access to limit who can reach the FileZen management interface

For organizations still using legacy appliance-based file transfer tools, this incident reinforces why edge device security remains a persistent challenge. CISA's binding operational directive on edge device replacement reflects growing recognition that aging perimeter appliances represent systemic risk.