What is CVE-2026-25108?
CVE-2026-25108 is an OS command injection vulnerability in Soliton Systems K.K. FileZen that can allow an authenticated user to execute arbitrary operating system commands via a crafted HTTP request when the Antivirus Check Option is enabled. Public advisories describe the vulnerable behavior as occurring in a post-login web screen where a “specific field” can be abused to inject OS commands.
Soliton has also stated it has received at least one report of damage associated with exploitation of this issue, and JVN/JPCERT notes that attacks exploiting the vulnerability have been observed.
As of February 24, 2026, NVD’s enrichment indicates the CVE was added to the CISA Known Exploited Vulnerabilities program on February 24, 2026 (with a federal action due date of March 17, 2026), which is a strong signal that defenders should treat remediation as urgent.
What is Affected By CVE-2026-25108?
CVE-2026-25108 affects specific FileZen versions, and exploitation depends on both a configuration condition and the attacker being able to log in. JVN lists impacted releases in both the 5.0 and 4.2 trains, while Soliton’s own notice summarizes the impacted window broadly as V4.2.1 through V5.0.10 (physical and virtual editions).
Affected products/versions (per JVN and Soliton):
FileZen V5.0.0 to V5.0.10
FileZen V4.2.1 to V4.2.8 (JVN) and broadly V4.2.1 to V5.0.10 (Soliton notice)
FileZen S is not affected (per developer statement).
Exploitation prerequisites (both must be true):
Antivirus Check Option is enabled (Soliton notes this is tied to environments using the relevant antivirus option/licensing).
The attacker can authenticate to the FileZen web interface (e.g., stolen credentials or successful guessing of a valid ID/password).
Mitigation and Remediation For CVE-2026-25108
The primary remediation is to upgrade FileZen to a fixed release—Soliton explicitly recommends updating to V5.0.11 or later. Soliton’s advisory indicates the issue was fixed in the V5.0 Update Pack 11 release and instructs customers to move to FileZen V5.0.11+, noting there is no reliable “avoidance” method for affected versions in the vulnerable configuration state.
Because exploitation requires a valid login, credential hygiene and access controls are also important compensating controls—but they should not be treated as a substitute for patching when exploitation has been observed.
Recommended actions (defender-focused):
Upgrade immediately to FileZen V5.0.11 or later (per Soliton/JVN guidance).
Verify the installed version from the system administration/management page and confirm the upgrade completed successfully.
If you suspect exposure, rotate all FileZen user passwords (Soliton explicitly recommends considering password changes because the attacker must be able to log in).
Restrict access to the FileZen management/web UI (network allowlisting/VPN/admin segmentation) to reduce credential-guessing and unauthorized login paths.
Review available FileZen logs/monitoring for unexpected file operations in system directories (Soliton notes this may provide clues, though the product does not provide a definitive “exploited” indicator).
If an emergency compensating control is needed while upgrading, consider disabling the Antivirus Check Option (since exploitation requires it), understanding the security/operational tradeoffs—then still patch as soon as possible.
Impact of Successful Exploitation of CVE-2026-25108
If exploited, CVE-2026-25108 can allow arbitrary OS command execution on the FileZen system in the context of the vulnerable service, which can quickly escalate into full appliance or host compromise. Advisories characterize the outcome as the ability for a logged-in user to trigger execution of attacker-controlled commands through the web application when the Antivirus Check Option is enabled.
Because Soliton and JVN/JPCERT state exploitation has been observed, defenders should assume real-world attacker tradecraft exists even if full technical details are not publicly disclosed.
Realistic consequences include:
Remote command execution leading to system takeover (depending on service privileges and environment hardening).
Data theft and exfiltration of transferred or staged files handled by FileZen.
Tampering with files, workflows, or configuration (integrity loss).
Service disruption (process termination, resource exhaustion, destructive commands).
Lateral movement into adjacent networks if FileZen is positioned in a trusted zone or integrated with internal services.
Proof of Concept for CVE-2026-25108
As of the latest check (February 24, 2026), the primary public disclosures (Soliton notice, JVN, and NVD/CVE summaries) describe the exploitability at a high level but do not publish a detailed, reproducible public PoC that names the exact endpoint/parameter.
If you see third-party posts claiming a specific URL path/parameter, treat them cautiously unless they align with vendor/JVN details; the safest path is to validate only in a controlled lab and prioritize upgrading to V5.0.11+.
Below is a non-weaponized, defensive research template you can use to structure internal validation without exposing an exploit chain—keeping the vulnerable field/path intentionally redacted.
# Educational/defensive template (use only in an authorized lab)
# 1) Confirm your FileZen version and whether “Antivirus Check Option” is enabled.
# 2) In a lab, send a benign marker value to the relevant *post-login* request you identify via browser dev tools.
# (Do NOT attempt command strings; the goal is to validate patching, not exploit.)
curl -k -X POST “https://<filezen-host>/<redacted-post-login-path>” \
-H “Cookie: <authenticated-session>” \
-H “Content-Type: application/x-www-form-urlencoded” \
–data “<redacted-field>=POC_MARKER_ONLY”
To validate remediation safely, repeat your normal workflow on V5.0.11+ and confirm the application no longer accepts dangerous characters in the relevant field and that the vendor-provided fix is installed.