CISA Reports Actively Exploited Soliton FileZen Command Injection Vulnerability
Take action: Update your FileZen appliances to version 5.0.11 ASAP and reset all user passwords to block attackers using stolen credentials. Check your system directory logs for any unauthorized file changes to confirm if your system was already compromised. Isolation is not really an option, since this platform is designed to be accessible by external users.
Learn More
CISA is warning of active exploitation of Soliton Systems' FileZen, a secure file transfer solution used by government agencies and private businesses to move data between segregated networks.
The flaw (link in Japanese) is tracked as CVE-2026-25108 (CVSS score 8.8) - An OS command injection vulnerability that lets remote, authenticated attackers run arbitrary commands on the underlying operating system. The flaw exists in an input field on the screen displayed after a user logs into the web interface. Attackers can send a crafted HTTP request that includes malicious commands, which the system then runs with high privileges. This attack works only if the antivirus scanning option is active and the attacker has valid credentials, which they often get through password guessing or credential theft.
Soliton Systems confirmed that attackers are actively using this bug, leading to multiple reports of system compromise. The announcement follows reports of a ransomware incident at Japan’s Washington Hotel, which some researchers link to this vulnerability.
Exploiting this vulnerability allows attackers to gain full control over the FileZen appliance and the sensitive data it handles. Because FileZen often sits between protected network zones, a compromise provides a perfect foothold for lateral movement into restricted corporate environments.
The vulnerability impacts both physical and virtual appliance versions of Soliton FileZen. Affected versions include the v5.0.x branch from v5.0.0 to v5.0.10 and the v4.2.x branch from v4.2.1 to v4.2.8.
Soliton Systems released version v5.0.11 to fix the vulnerability, and users should apply this update ASAP. CISA ordered U.S. federal civilian agencies to patch this risk by March 17, 2026. Beyond patching, administrators should reset all user passwords to stop attackers from using stolen accounts. Organizations should also check system logs for unauthorized file changes, as FileZen includes a monitoring feature that records modifications to its system directory.
