CVE-2026-25108 (GCVE-0-2026-25108)
Vulnerability from cvelistv5 – Published: 2026-02-13 03:39 – Updated: 2026-02-26 14:44
VLAI?
CISA KEV
CIRCL
Summary
FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.
Severity ?
CWE
- CWE-78 - Improper neutralization of special elements used in an OS command ('OS Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Soliton Systems K.K. | FileZen |
Affected:
V5.0.0 to V5.0.10
|
|||||||
|
|||||||||
CISA KEV
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: e2dc6e3a-c9f8-44ca-b9e4-162a1344d4e3
Exploited: Yes
Timestamps
First Seen: 2026-02-24
Asserted: 2026-02-24
Scope
Notes: KEV entry: Soliton Systems K.K FileZen OS Command Injection Vulnerability | Affected: Soliton Systems K.K / FileZen | Description: Soliton Systems K.K FileZen contains an OS command injection vulnerability when an user logs-in to the affected product and sends a specially crafted HTTP request. | Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | Due date: 2026-03-17 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://jvn.jp/en/jp/JVN84622767/ ; https://nvd.nist.gov/vuln/detail/CVE-2026-25108
Evidence
Type: Vendor Report
Signal: Successful Exploitation
Confidence: 80%
Source: cisa-kev
Details
| Cwes | CWE-78 |
|---|---|
| Feed | CISA Known Exploited Vulnerabilities Catalog |
| Product | FileZen |
| Due Date | 2026-03-17 |
| Date Added | 2026-02-24 |
| Vendorproject | Soliton Systems K.K |
| Vulnerabilityname | Soliton Systems K.K FileZen OS Command Injection Vulnerability |
| Knownransomwarecampaignuse | Unknown |
References
Created: 2026-02-24 19:00 UTC
| Updated: 2026-02-24 19:00 UTC
CIRCL
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: faf06699-e4d6-4b42-a97e-6e625bf07c3a
Exploited: Yes
Characteristics
Remote Code Execution:
Yes
Authentication Required:
Yes
Timestamps
First Seen: 2026-02-26
Asserted: 2026-02-26
Last Seen: 2026-02-26
Created: 2026-02-26 10:02 UTC
| Updated: 2026-02-26 10:02 UTC
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25108",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-25T04:55:24.116263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-02-24",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T14:44:20.718Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-24T00:00:00.000Z",
"value": "CVE-2026-25108 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "FileZen",
"vendor": "Soliton Systems K.K.",
"versions": [
{
"status": "affected",
"version": "V5.0.0 to V5.0.10"
}
]
},
{
"product": "FileZen",
"vendor": "Soliton Systems K.K.",
"versions": [
{
"status": "affected",
"version": "V4.2.1 to V4.2.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T04:36:19.553Z",
"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"shortName": "jpcert"
},
"references": [
{
"url": "https://www.soliton.co.jp/support/2026/006657.html"
},
{
"url": "https://jvn.jp/en/jp/JVN84622767/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
"assignerShortName": "jpcert",
"cveId": "CVE-2026-25108",
"datePublished": "2026-02-13T03:39:03.795Z",
"dateReserved": "2026-01-30T11:03:04.608Z",
"dateUpdated": "2026-02-26T14:44:20.718Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2026-25108",
"cwes": "[\"CWE-78\"]",
"dateAdded": "2026-02-24",
"dueDate": "2026-03-17",
"knownRansomwareCampaignUse": "Unknown",
"notes": "https://jvn.jp/en/jp/JVN84622767/ ; https://nvd.nist.gov/vuln/detail/CVE-2026-25108",
"product": "FileZen",
"requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "Soliton Systems K.K FileZen contains an OS command injection vulnerability when an user logs-in to the affected product and sends a specially crafted HTTP request.",
"vendorProject": "Soliton Systems K.K",
"vulnerabilityName": "Soliton Systems K.K FileZen OS Command Injection Vulnerability"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-25108\",\"sourceIdentifier\":\"vultures@jpcert.or.jp\",\"published\":\"2026-02-13T04:15:53.410\",\"lastModified\":\"2026-02-24T21:38:18.607\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.\"},{\"lang\":\"es\",\"value\":\"FileZen contiene una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo. Cuando la opci\u00f3n de verificaci\u00f3n de antivirus de FileZen est\u00e1 habilitada, un usuario autenticado puede enviar una solicitud HTTP especialmente dise\u00f1ada para ejecutar un comando arbitrario del sistema operativo.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"vultures@jpcert.or.jp\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV30\":[{\"source\":\"vultures@jpcert.or.jp\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2026-02-24\",\"cisaActionDue\":\"2026-03-17\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Soliton Systems K.K FileZen OS Command Injection Vulnerability\",\"weaknesses\":[{\"source\":\"vultures@jpcert.or.jp\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:soliton:filezen:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2.1\",\"versionEndExcluding\":\"5.0.11\",\"matchCriteriaId\":\"4C8030A0-947B-4FFA-B406-FF1C1A9C8812\"}]}]}],\"references\":[{\"url\":\"https://jvn.jp/en/jp/JVN84622767/\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.soliton.co.jp/support/2026/006657.html\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25108\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-25T04:55:24.116263Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2026-02-24\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-02-24T00:00:00.000Z\", \"value\": \"CVE-2026-25108 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-13T13:08:28.786Z\"}}], \"cna\": {\"metrics\": [{\"format\": \"CVSS\", \"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.7, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\"}, \"scenarios\": [{\"lang\": \"en-US\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Soliton Systems K.K.\", \"product\": \"FileZen\", \"versions\": [{\"status\": \"affected\", \"version\": \"V5.0.0 to V5.0.10\"}]}, {\"vendor\": \"Soliton Systems K.K.\", \"product\": \"FileZen\", \"versions\": [{\"status\": \"affected\", \"version\": \"V4.2.1 to V4.2.8\"}]}], \"references\": [{\"url\": \"https://www.soliton.co.jp/support/2026/006657.html\"}, {\"url\": \"https://jvn.jp/en/jp/JVN84622767/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"Improper neutralization of special elements used in an OS command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"shortName\": \"jpcert\", \"dateUpdated\": \"2026-02-13T04:36:19.553Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-25108\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-26T14:44:20.718Z\", \"dateReserved\": \"2026-01-30T11:03:04.608Z\", \"assignerOrgId\": \"ede6fdc4-6654-4307-a26d-3331c018e2ce\", \"datePublished\": \"2026-02-13T03:39:03.795Z\", \"assignerShortName\": \"jpcert\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…