Tracked as CVE-2026-25108, this OS command injection flaw strikes high with CVSS scores of 8.8 (v3.0) and 8.7 (v4.0).
It poses a major threat to businesses handling sensitive file transfers, especially those with the Antivirus Check Option turned on.
The issue arises when attackers with valid login credentials send specially crafted HTTP requests. This exploits a weakness in how FileZen processes inputs during antivirus scanning, injecting malicious commands that execute with the app’s privileges.
Attackers could steal data, install malware, or fully take over the system. Japan’s Vulnerability Notes (JVN) advisory, published February 13, 2026, confirms real-world exploitation attempts are underway, urging immediate action.
FileZen versions V-5.0.0 to V-5.0.10 and V-4.2.1 to V-4.2.8 are affected. FileZen S versions remain safe.
No exploit code is public yet, but the low barrier, needing only authentication, makes it dangerous in shared environments.
| CVE ID | CVSS v3.0 Score | CVSS v4.0 Score | Description |
|---|---|---|---|
| CVE-2026-25108 | 8.8 (High) | 8.7 (Critical) | OS command injection in FileZen; authenticated attackers execute arbitrary commands via crafted HTTP requests when Antivirus Check Option is enabled. |
Exploitation grants attackers the app’s system-level access, risking total compromise of confidentiality, integrity, and availability.
Soliton Systems patched it in V-5.0.11 after working with JPCERT/CC under Japan’s early warning partnership. The fix blocks the injection path without breaking core features.
Organizations must upgrade now, prioritizing setups with antivirus scanning active. Scan logs for odd logins, suspicious HTTP traffic, or command artifacts from mid-February 2026.
JPCERT/CC’s alert JPCERT-AT-2026-0004 offers Japanese-specific tips, including IOCs for failed exploits.
This flaw highlights risks in file transfer tools with integrated scanning. Disabling the Antivirus Check Option reduces exposure until patching, but it’s no substitute for updates. Vendors like Soliton stress secure defaults in future releases.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Critical FileZen File Transfer Flaw Allows Arbitrary Command Execution appeared first on Cyber Security News.
Crimson Desert feels like it was designed in a lab by someone who wanted to…
HAMMOND, Ind. (WOWO) — An East Chicago woman who spent more than two decades collecting…
MIAMI BEACH, FL. (WOWO) — An Indiana University student and a recent graduate were killed…
TransAlta’s coal-fired power plant in Centralia, Wash., is among the facilities that received emergency orders…
A complete episode from the first season of Mystery Science Theater 3000, "Star Force: The…
Nvidia announced DLSS 5 on Monday, which was swiftly followed by immediate backlash from gamers…
This website uses cookies.