Patch Now: CISA Warns of Active FileZen Exploit (CVE-2026-25108)
▼ Summary
– CISA has added CVE-2026-25108, a critical OS command injection flaw in Soliton Systems’ FileZen, to its Known Exploited Vulnerabilities catalog due to confirmed active exploitation.
– The vulnerability allows remote, authenticated attackers to execute commands via a crafted HTTP request, affecting specific versions of the physical and virtual FileZen appliances.
– Exploitation requires antivirus scanning to be enabled and can be achieved using compromised or guessed low-level account credentials.
– While linked to active attacks causing damage, the KEV listing does not confirm the flaw’s use in ransomware campaigns, despite related public disclosures.
– Affected customers must upgrade to patched versions, and U.S. federal agencies have been ordered by CISA to mitigate the vulnerability by March 17, 2026.
A critical security flaw in a widely used file transfer system is now under active attack, prompting urgent action from cybersecurity authorities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a severe vulnerability in Soliton Systems’ FileZen appliance to its catalog of Known Exploited Vulnerabilities. Tracked as CVE-2026-25108, this OS command injection bug allows authenticated attackers to run arbitrary commands on affected systems. The vendor has confirmed receiving multiple reports of actual damage stemming from exploitation, underscoring the immediate risk.
While the KEV listing does not explicitly link the flaw to ransomware, its public disclosure coincided with a reported ransomware incident at a major Japanese hotel. This timing has led to speculation that threat actors may be leveraging CVE-2026-25108 to deploy ransomware payloads. Regardless of the final payload, the confirmed active exploitation makes patching a top priority.
This vulnerability specifically impacts the appliance-based FileZen secure file transfer server, a solution used by businesses and government agencies to move large files securely between networks. The platform offers features like content sanitization, antivirus scanning, and detailed audit logs. Ironically, the flaw is only exploitable when the built-in antivirus scanning feature is enabled. Attackers can trigger the bug by sending a specially crafted HTTP request to a specific field after logging in, using either compromised credentials for a low-privilege account or credentials obtained through guessing.
The security hole affects physical and virtual editions of FileZen versions 5.0.0 through 5.0.10 and versions 4.2.1 through 4.2.8. The FileZen S product line is not vulnerable. Soliton Systems has released a fix in version 5.0.11, and all customers are strongly urged to upgrade immediately. In response to the active threats, CISA has mandated that all U.S. federal civilian executive branch agencies apply mitigations by March 17, 2026.
Beyond patching, organizations need to conduct thorough forensic reviews. Japan’s CERT Coordination Center notes that FileZen includes monitoring for its system directory; changes to files in that location should generate log entries. Administrators should contact Soliton Systems for specific guidance on interpreting these logs. Furthermore, organizations must scrutinize access logs for any signs of unauthorized activity using compromised accounts. If evidence of intrusion is found, a precautionary reset of all account passwords is a recommended step.
This incident is a stark reminder of the persistent threat to managed file transfer solutions. It is not the first time a zero-day vulnerability has been exploited in the FileZen platform, highlighting the need for continuous vigilance, prompt patching, and robust credential management in these critical network segments.
(Source: HelpNet Security)
