CVE-2026-25108 - Vulnerability Details

Description

FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.

Published: 2026-02-13

Score: 8.7 High

EPSS: 8.4% Low

KEV: Yes

Impact:

Action:

Analysis

Impact

A flaw in FileZen’s antivirus check option permits an authenticated, logged‑in user to send a crafted HTTP request that is interpreted as an OS command, enabling arbitrary command execution on the host. The vulnerability is an OS command injection, classified as CWE‑78, and can compromise confidentiality, integrity, and availability by allowing an attacker to run any command with the privileges of the FileZen service.

Affected Systems

The affected product is Soliton Systems FileZen. No specific version information was supplied.

Risk and Exploitability

The flaw carries a CVSS score of 8.7 and an EPSS score of 8 %, indicating a high likelihood of exploitation. It is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active or recent exploitation. Attackers must be authenticated and exploit the enabled antivirus check option; once they do, they can execute any OS command on the underlying system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Soliton Systems K.K.

FileZen

affected

Version	Status	Constraints
`V5.0.0 to V5.0.10`	affected	—

Soliton Systems K.K.

FileZen

affected

Version	Status	Constraints
`V4.2.1 to V4.2.8`	affected	—

Configuration 1 [-]

cpe:2.3:a:soliton:filezen:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Soliton Systems K.k.

Filezen

—

Version	Status	Scheme	Platform
`[V5.0.0,V5.0.10]`	affected	generic	—

Soliton Systems K.k.

Filezen

—

Version	Status	Scheme	Platform
`[V4.2.1,V4.2.8]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Disable the FileZen Antivirus Check option to eliminate the command injection vector until a patch is available.
Apply the vendor’s latest patch or upgrade to a fixed release as announced on Soliton’s support site.
Monitor web application logs for anomalous HTTP requests targeting the antivirus check endpoint and review any unexpected command executions.

Generated by OpenCVE AI on April 22, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is in the KEV database since Feb. 24, 2026.

The EPSS score is 0.0837.

Exploitation active

Automatable no

Technical Impact total

References

Link	Providers
https://jvn.jp/en/jp/JVN84622767/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108
https://www.soliton.co.jp/support/2026/006657.html

History

Wed, 22 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title	OS Command Injection in FileZen Antivirus Check Option Allowing Arbitrary Command Execution

Fri, 17 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title		OS Command Injection in FileZen Antivirus Check Option Allowing Arbitrary Command Execution

Tue, 24 Feb 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Soliton Soliton filezen
CPEs		cpe:2.3:a:soliton:filezen::::::::
Vendors & Products		Soliton Soliton filezen
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Tue, 24 Feb 2026 19:15:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 24 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2026-02-24T00:00:00+00:00', 'dueDate': '2026-03-17T00:00:00+00:00'}`

Fri, 13 Feb 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Soliton Systems K.k. Soliton Systems K.k. filezen
Vendors & Products		Soliton Systems K.k. Soliton Systems K.k. filezen

Fri, 13 Feb 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 13 Feb 2026 05:00:00 +0000

Type	Values Removed	Values Added
Description	FileZen contains an OS command injection vulnerability. When FileZen virus check option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.	FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.

Fri, 13 Feb 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		FileZen contains an OS command injection vulnerability. When FileZen virus check option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.
Weaknesses		CWE-78
References		https://jvn.jp/en/jp/JVN84622767/ https://www.soliton.co.jp/support/2026/006657.html
Metrics		cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Soliton Filezen

Soliton Systems K.k. Filezen

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2026-02-13T03:39:03.795Z

Updated: 2026-02-26T14:44:20.718Z

Reserved: 2026-01-30T11:03:04.608Z

Link: CVE-2026-25108

Vulnrichment

Updated: 2026-02-13T13:08:28.786Z

NVD

Status : Analyzed

Published: 2026-02-13T04:15:53.410

Modified: 2026-02-24T21:38:18.607

Link: CVE-2026-25108

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T20:00:08Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation active

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object