CISA Confirms Active Exploitation of FileZen CVE-2026-25108 Vulnerability (CVSS 8.7)

Estimated reading time: 6 minutes

Key Takeaways:

  • CVE-2026-25108 is a high-severity OS command injection vulnerability in Soliton FileZen appliances being actively exploited in the wild.
  • Exploitation requires only “general user” authentication and targets the system’s Antivirus Check Option.
  • CISA has mandated a remediation deadline of March 17, 2026, for federal agencies.
  • Upgrading to FileZen version 5.0.11 or later is the only confirmed permanent fix for this vulnerability.

Table of Contents:

CISA Confirms Active Exploitation of FileZen CVE-2026-25108 Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-25108 to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability affects FileZen, a file transfer appliance developed by Soliton Systems K.K. Evidence indicates that threat actors are actively utilizing this flaw to bypass security controls and execute arbitrary code on targeted systems. The vulnerability is categorized as an operating system (OS) command injection flaw, carrying a CVSS v4 score of 8.7, which signifies a high-severity risk to organizational infrastructure.

The vulnerability allows an authenticated user to execute arbitrary commands by sending specially crafted HTTP requests to the FileZen interface. According to research findings, the exploitation path is tied to the FileZen Antivirus Check Option. When this specific feature is enabled, the system fails to properly sanitize user-supplied input before passing it to the underlying operating system shell.

Soliton Systems has confirmed at least one instance of data compromise resulting from the exploitation of this vulnerability. While the attack requires authentication, the level of access needed is minimal. An attacker only requires “general user” privileges to initiate the command injection. This low barrier for entry makes the vulnerability particularly dangerous for organizations that provide broad access to their file transfer portals.

Technical Analysis of CVE-2026-25108

OS command injection occurs when an application transmits unsafe data-such as cookies, form fields, or HTTP headers-to an operating system shell. In the case of FileZen, the vulnerability manifests during the file processing phase when the Antivirus Check Option is active. The system’s internal logic processes HTTP requests in a manner that allows an attacker to append shell commands to legitimate parameters.

Because the appliance operates with elevated system permissions to facilitate file management and antivirus scanning, any command executed via this injection inherits those permissions. This allows for a complete takeover of the appliance, enabling attackers to move laterally within the network, exfiltrate sensitive files, or install persistent backdoors.

Affected Versions and Vendor Response

The Japan Vulnerability Notes (JVN) and Soliton Systems have identified the following versions as vulnerable to CVE-2026-25108:

  • FileZen Versions 4.2.1 through 4.2.8
  • FileZen Versions 5.0.0 through 5.0.10

Organizations utilizing these versions must prioritize the transition to version 5.0.11 or later. Soliton has indicated that simply disabling the Antivirus Check Option may reduce the immediate attack surface but does not replace the requirement for a full firmware update. Furthermore, because exploitation requires a valid user account, the vendor recommends a comprehensive password reset for all users if an organization suspects a compromise. This is necessary because attackers often use stolen credentials gathered via a dark web monitoring service or telegram threat monitoring to gain the initial authenticated access required for this specific exploit.

The Role of Managed File Transfer (MFT) in Supply-Chain Risk

File transfer appliances like FileZen are frequent targets for sophisticated threat actors due to their position in the network. These systems often sit on the perimeter to facilitate data exchange between internal users and external partners. This makes them a primary focus for supply-chain risk monitoring. A compromise of an MFT solution does not just affect the individual appliance; it exposes all data transiting through the system and provides a gateway into the internal network.

The exploitation of CVE-2026-25108 fits into a broader pattern of attacks against MFT solutions. Threat actors recognize that these appliances often handle unencrypted, sensitive data before it is moved to long-term storage. By utilizing underground forum intelligence, security teams can often find discussions regarding such vulnerabilities before they are widely publicized. In many cases, initial access brokers sell credentials for these specific appliances, which allows other groups to deploy ransomware or conduct corporate espionage.

Integration with Cyber Threat Intelligence Platforms

To mitigate the risk of zero-day and N-day exploits like CVE-2026-25108, organizations require a sophisticated cyber threat intelligence platform. Such platforms aggregate data from various sources to provide early warning indicators of exploitation. For instance, real-time ransomware intelligence can alert an organization if a known ransomware group is observed targeting Soliton FileZen instances globally.

The integration of a live ransomware API into existing security operations allows for the automated blocking of IP addresses associated with known exploit attempts. When CISA adds a vulnerability to the KEV catalog, it is an indication that the flaw is no longer a theoretical risk but a present danger. Organizations must use breach detection tools to scan for indicators of compromise (IoC) specifically related to FileZen’s HTTP logs, looking for unusual shell syntax or unexpected outbound connections from the appliance.

Dark Web and Telegram Monitoring for Credential Protection

Since CVE-2026-25108 requires authentication, the security of user credentials is a primary defense layer. Threat actors frequently use brand leak alerting to identify when company-specific credentials appear in public or semi-private leaks. Telegram threat monitoring is particularly useful here, as many automated bots now scrape and distribute “combo lists” of usernames and passwords across various channels.

By employing a dark web monitoring service, organizations can proactively identify if any FileZen user accounts have been compromised. If a set of credentials for a FileZen instance is found on an underground forum, the organization can force a password reset and implement multi-factor authentication (MFA) before a threat actor uses those credentials to trigger the OS command injection vulnerability.

CISA Mandates and Timeline

CISA has set a deadline of March 17, 2026, for Federal Civilian Executive Branch (FCEB) agencies to remediate CVE-2026-25108. While this mandate specifically applies to federal agencies, it serves as a benchmark for private sector organizations. The inclusion in the KEV catalog implies that the vulnerability is being used in the wild, likely by state-sponsored actors or organized cybercriminal groups.

The transition to version 5.0.11 is the only verified method to eliminate the vulnerability. For organizations unable to patch immediately, isolating the FileZen appliance from the internet and restricting access to a limited set of internal IP addresses via a VPN is a necessary interim measure.

Technical Actionable Takeaways

For Engineering and Security Teams:

  • Version Verification: Immediately audit all Soliton FileZen instances to determine if they fall within the 4.2.1-4.2.8 or 5.0.0-5.0.10 range.
  • Log Analysis: Review HTTP server logs for signs of shell metacharacters (e.g., ;, &, |, `, $()) within parameters passed to the appliance.
  • Patch Deployment: Apply the firmware update to version 5.0.11 or higher. Perform this in a staged environment first.
  • Credential Rotation: If unauthorized access is suspected, perform a global password reset and enforce MFA.
  • Network Segmentation: Restrict the appliance’s ability to initiate outbound connections except for necessary updates.

For IT Leadership and Risk Managers:

  • Supply-Chain Audit: Document and evaluate the security posture of third-party file transfer solutions.
  • Incident Response Readiness: Ensure playbooks include specific procedures for MFT compromise and data loss prevention.
  • Resource Allocation: Prioritize the March 17, 2026, deadline for patching.
  • Intelligence Integration: Ensure your CTI provides coverage for specialized technology stacks like Soliton Systems.

PurpleOps Expertise in Vulnerability Management

PurpleOps provides comprehensive security services to assist organizations in managing high-risk vulnerabilities like CVE-2026-25108. Our approach combines automated scanning with manual expert analysis to ensure that perimeter devices are configured according to industry best practices.

Through our Cyber Threat Intelligence services, we offer organizations the ability to stay ahead of active exploits. We provide Dark Web Monitoring to identify leaked credentials that could be used to satisfy the authentication requirement of this FileZen flaw.

Organizations concerned about their exposure to MFT-based attacks can utilize our services to simulate an attack against their FileZen environment. Furthermore, our focus on Supply Chain Information Security ensures that third-party software risks are integrated into the broader corporate risk management framework.

Addressing the Post-Exploitation Phase

If an attacker successfully exploits CVE-2026-25108, the subsequent phase typically involves the deployment of web shells to maintain persistence. At this stage, breach detection becomes the primary objective. Security teams should monitor for unexpected processes spawning from the web server user or large-scale data egress to unknown IP addresses.

By utilizing real-time ransomware intelligence, organizations can cross-reference outbound connection attempts with known command-and-control (C2) infrastructure. A live ransomware API can facilitate the rapid ingestion of these IoCs into an EDR or SIEM platform, allowing for automated containment of the compromised appliance.

Ensuring that all FileZen instances are updated to version 5.0.11 or later is the immediate technical requirement to maintain the integrity of the file transfer environment. PurpleOps remains committed to providing the technical expertise and platforms necessary to navigate these risks through our PurpleOps Solutions and Platform.

Frequently Asked Questions

What is the primary nature of CVE-2026-25108?
It is an OS command injection vulnerability in the Soliton FileZen file transfer appliance that allows authenticated users with minimal privileges to execute arbitrary commands.

Does disabling the Antivirus Check Option fix the issue?
While disabling the feature reduces the attack surface, it is not a permanent fix. Soliton Systems mandates a firmware update to version 5.0.11 or higher.

How are threat actors gaining the required authentication?
Attackers often use stolen credentials sourced from dark web leaks, underground forums, and automated credential stuffing attacks.

What is the CISA deadline for remediation?
Federal agencies have until March 17, 2026, to apply the necessary patches and remediate the vulnerability.

How can PurpleOps help with this specific threat?
PurpleOps offers dark web monitoring to protect against credential theft, to validate defenses, and specialized red team operations to simulate active exploitation scenarios.