Critical FileZen Bug Exploited, Patch Immediately for CVE-2026-25108 Vulnerability

Post Views: 11

A Critical Vulnerability in FileZen File Transfer Solution Exploited in the Wild

A recently disclosed vulnerability in Soliton Systems’ FileZen secure file transfer solution has been added to the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, tracked as CVE-2026-25108, is an OS command injection flaw that has been confirmed to be actively exploited by attackers.

What is FileZen?

FileZen is a widely used file-sharing server solution that enables secure, authorized transfers of large files between segregated networks. The solution is designed to provide content sanitization, antivirus scanning, and comprehensive audit logging.

The Vulnerability

The vulnerability in question allows remote, authenticated attackers to inject commands via a specially crafted HTTP request into a specific field on the screen after logging in.

Affected Versions

The vulnerability affects both physical and virtual versions of FileZen, but only if antivirus scanning is enabled. It does not affect FileZen S. The affected versions include FileZen v5.0.0 to v5.0.10 and v4.2.1 to v4.2.8.

Mitigation

To mitigate the vulnerability, customers are urged to upgrade to v5.0.11 or later. CISA has ordered US federal civilian agencies to mitigate the vulnerability by March 17, 2026. In addition to upgrading to a patched version, organizations are advised to review their logs for signs of unauthorized access using compromised accounts. If evidence of such activity is identified, organizations should consider resetting passwords for all accounts as a precaution.

Guidance from JPCERT/CC

The Japanese CERT Coordination Center (JPCERT/CC) has also issued guidance on the vulnerability, noting that FileZen includes a file-monitoring feature for its system directory. This means that if files in the system directory are altered, the activity may be recorded in the logs. Customers are advised to contact the vendor for guidance on how to review and interpret these logs.

Possible Connection to Ransomware

The exploitation of this vulnerability has raised concerns about potential ransomware activity, although CISA’s KEV listing does not explicitly link the vulnerability to ransomware. However, the timing of the public disclosure and a reported ransomware incident at Japan’s Washington Hotel has led to speculation about a possible connection.

Previous Exploits

This is not the first time that attackers have exploited a zero-day vulnerability in FileZen. Organizations using the solution are advised to take immediate action to mitigate the vulnerability and review their logs for signs of unauthorized access.