CyberSecurity News

FileZen File Transfer App Flaw Allows Arbitrary Command Execution

Soliton Systems K.K.’s file transfer solution contains a critical vulnerability, potentially enabling attackers to execute arbitrary system commands on affected installations. The issue,...

Sarah simpson
Sarah simpson
February 16, 2026 2 Min Read
0 0

Soliton Systems K.K.’s file transfer solution contains a critical vulnerability, potentially enabling attackers to execute arbitrary system commands on affected installations.

The issue, tracked as CVE-2026-25108, has been assessed with a CVSS v3.0 base score of 8.8, indicating a severe command injection flaw.

The flaw stems from an OS command injection vulnerability (CWE-78) within FileZen’s processing mechanism whenever the Antivirus Check Option is enabled.

Attackers with authenticated access could exploit this weakness by sending specially crafted HTTP requests to the affected FileZen instance, thereby gaining execution privileges on the underlying operating system.

The developer, Soliton Systems K.K., confirmed that exploitation attempts targeting this vulnerability have already been observed in the wild, indicating active use of this flaw before it was patched.

FileZen File Transfer App Vulnerability

FileZen is a secure file transfer and sharing system widely used by enterprises for data exchange across organizations and internal networks. The company clarified that FileZen S (a separate variant) is not affected.

CVE ID CVSS Description Affected Versions
CVE-2026-25108 8.8 (High) OS command injection enabling arbitrary execution. V5.0.0–V5.0.10, V4.2.1–V4.2.8

The issue allows an authenticated attacker, once logged in, to send a maliciously crafted HTTP request that could run arbitrary OS-level commands with elevated privileges.

Successful exploitation may enable attackers to fully compromise the affected appliance, manipulate files, or establish persistent access for further exploitation within the network.

According to the advisory published through Japan’s JPCERT/CC (JVN#84622767), this vulnerability affects a file transfer system often exposed to enterprise networks, and the risk extends to data confidentiality and system integrity.

Soliton Systems has released a firmware update addressing this issue. Users are urged to upgrade to FileZen firmware version V5.0.11 or later, as it includes security fixes that neutralize the OS command injection vector.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts