The issue, tracked as CVE-2026-25108, has been assessed with a CVSS v3.0 base score of 8.8, indicating a severe command injection flaw.
The flaw stems from an OS command injection vulnerability (CWE-78) within FileZen’s processing mechanism whenever the Antivirus Check Option is enabled.
Attackers with authenticated access could exploit this weakness by sending specially crafted HTTP requests to the affected FileZen instance, thereby gaining execution privileges on the underlying operating system.
The developer, Soliton Systems K.K., confirmed that exploitation attempts targeting this vulnerability have already been observed in the wild, indicating active use of this flaw before it was patched.
FileZen is a secure file transfer and sharing system widely used by enterprises for data exchange across organizations and internal networks. The company clarified that FileZen S (a separate variant) is not affected.
| CVE ID | CVSS | Description | Affected Versions |
|---|---|---|---|
| CVE-2026-25108 | 8.8 (High) | OS command injection enabling arbitrary execution. | V5.0.0–V5.0.10, V4.2.1–V4.2.8 |
The issue allows an authenticated attacker, once logged in, to send a maliciously crafted HTTP request that could run arbitrary OS-level commands with elevated privileges.
Successful exploitation may enable attackers to fully compromise the affected appliance, manipulate files, or establish persistent access for further exploitation within the network.
According to the advisory published through Japan’s JPCERT/CC (JVN#84622767), this vulnerability affects a file transfer system often exposed to enterprise networks, and the risk extends to data confidentiality and system integrity.
Soliton Systems has released a firmware update addressing this issue. Users are urged to upgrade to FileZen firmware version V5.0.11 or later, as it includes security fixes that neutralize the OS command injection vector.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post FileZen File Transfer App Vulnerability Enables Arbitrary Command Execution appeared first on Cyber Security News.
ABILENE, Texas (KTAB/KRBC) - An Abilene man accused of filming himself sexually abusing a child…
ABILENE, Texas (KTAB/KRBC) - McMurry University hosted the 13th annual Women’s Leadership Luncheon with guest…
ABILENE, Texas (KTAB/KRBC) - Everything is bigger in Texas, and that includes the Ropin’ Rascals…
ABILENE, Texas (KTAB/KRBC) - A student was struck by a vehicle while crossing the street…
Chuck Norris, a martial artist and actor known for his appearances in “The Way of…
The deal will give Nexstar control of local newscasts in more than 70 percent of…
This website uses cookies.