Vulnerability in the FileZen File Transfer App The file transfer solution from Soliton Systems K.K This article explores vulnerability filezen. . has been found to have a serious flaw that could let attackers run arbitrary system commands on compromised installations.

With a CVSS v3.0 base score of 8.8, the problem—tracked as CVE-2026-25108—has been evaluated as having a serious command injection vulnerability. Find out more Software for preventing data loss Services for digital forensics Monitoring of data breaches When the Antivirus Check Option is enabled, FileZen's processing mechanism has an OS command injection vulnerability (CWE-78) that causes the flaw. By sending specially constructed HTTP requests to the impacted FileZen instance, attackers with authenticated access could take advantage of this vulnerability and obtain execution privileges on the underlying operating system.

Exploitation attempts targeting this vulnerability have already been seen in the wild, according to the developer, Soliton Systems K.K., indicating active use of this flaw prior to its patching. Vulnerability File for FileZen File Transfer AppBusinesses frequently use Zen, a secure file transfer and sharing platform, to exchange data within and between internal networks. The business made it clear that FileZen S, a different version, is unaffected.

CVSS CVE ID The description of the affected versions is CVE-2026-25108 8.8 (High), which allows arbitrary execution through OS command injection. V4.2.1–V4.2.8 and V5.0.0–V5.0.10 Once logged in, the vulnerability enables a legitimate attacker to send a maliciously constructed HTTP request that could execute any OS-level command with elevated privileges.

Attackers may be able to alter files, completely compromise the impacted appliance, or gain enduring access for additional network exploitation if the exploitation is successful. Find out more Detection of threats in real time Services for penetration testing Computer This vulnerability affects a file transfer system that is frequently exposed to enterprise networks, and the risk extends to data confidentiality and system integrity, according to the advisory released by Japan's JPCERT/CC (JVN#84622767). A firmware update from Soliton Systems has been made available to fix this problem.

It is recommended that users update to FileZen firmware version V5.0.11 or later because it contains security fixes that eliminate the OS command injection vector. For daily cybersecurity updates, users should also check LinkedIn and X. To have your stories featured, get in touch with us.