A widely used file transfer solution designed for secure data exchange has become a gateway for cyberattacks, as security researchers have uncovered a critical vulnerability in FileZen that is already being actively exploited in the wild. The flaw, identified as CVE-2026-25108, affects the popular software from Japan-based Soliton Systems and allows authenticated attackers to execute arbitrary operating system commands, effectively handing them control over the affected server. This vulnerability represents a significant threat to organizations that rely on FileZen for transferring sensitive or confidential information, turning a tool meant to safeguard data into a potential point of complete system compromise. The active exploitation underscores the urgency for immediate action, as threat actors are not waiting for organizations to apply patches. The core of the issue lies within an OS command injection weakness, which can be triggered under specific conditions, transforming a legitimate user account into a powerful weapon for system infiltration, data exfiltration, or the deployment of additional malware payloads.
The Anatomy of the Attack
The technical breakdown of CVE-2026-25108 reveals a high-severity flaw with CVSS scores of 8.8 (v3.0) and 8.7 (v4.0), highlighting its potential for severe damage. The vulnerability is specifically triggered when FileZen’s Antivirus Check Option is enabled, creating an exploitable condition in how the software processes user inputs. An attacker who has already obtained valid login credentials—whether through phishing, credential stuffing, or other means—can leverage this access to send specially crafted HTTP requests to the FileZen server. These requests are designed to inject malicious commands directly into the operating system, which are then executed with the same privileges as the FileZen application itself. This level of access is devastating, as it could permit an attacker to navigate the server’s file system, steal sensitive corporate data being transferred through the platform, install persistent backdoors, or use the compromised server as a launchpad for further attacks across the corporate network. The requirement for authentication, while a mitigating factor, does little to protect against insider threats or scenarios where user accounts have already been compromised.
Official Response and Mitigation Steps
In response to the active exploitation and the high-severity nature of the flaw, Soliton Systems has released a critical security patch to address the vulnerability. According to a Japan Vulnerability Notes (JVN) advisory issued on February 13, 2026, organizations using FileZen versions V-5.0.0 through V-5.0.10 and V-4.2.1 through V-4.2.8 are directly affected and should prioritize immediate upgrades; it was confirmed that FileZen S versions are not impacted. The official remediation is available in version V-5.0.11, and administrators are strongly urged to apply this update without delay. As a temporary stopgap measure, organizations unable to patch immediately can reduce their attack surface by disabling the Antivirus Check Option, though this is not a comprehensive solution and only serves as an interim fix. Following the disclosure, security teams were advised to conduct thorough reviews of their system logs for any suspicious HTTP traffic or unusual command-line artifacts dating from mid-February 2026 onward. This forensic analysis proved essential for detecting whether systems had already been compromised before the patch was deployed.
