CVE-2026-25108

Description

FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.

Overview

State: PUBLISHED
Assigner (CNA): jpcert
CVSS severity: HIGH
CVSS score: 8.7 / 10
CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Effective score: 8.7 / 10 HIGH source: CNA overview
CWE(s): CWE-78
Reserved: 2026-01-30
Published: 2026-02-13 03:39 UTC
Last updated: 2026-02-26 14:44 UTC
Source: https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/25xxx/CVE-2026-25108.json
Linked Threat: CVE-2026-25108 — Soliton Systems K.K FileZen: Soliton Systems K.K FileZen OS Command Injection Vulnerability

CISA Known Exploited Vulnerabilities CISA KEV

CISA has confirmed in-the-wild exploitation of this CVE. Federal agencies must remediate by the due date below; private orgs should treat it as priority-1.

Vulnerability name: Soliton Systems K.K FileZen OS Command Injection Vulnerability
Vendor / project: Soliton Systems K.K
Product: FileZen
Date added to KEV: 2026-02-24
Remediation due: 2026-03-17
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ransomware campaign use: Unknown
CISA notes: https://jvn.jp/en/jp/JVN84622767/ ; https://nvd.nist.gov/vuln/detail/CVE-2026-25108
CISA listing: www.cisa.gov/known-exploited-vulnerabilities-catalog

NVD triage scoring NVD CVE 2.0

Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.

NVD published: 2026-02-13 04:15:53 UTC
NVD last modified: 2026-02-24 21:38:18 UTC
NVD CVSS v3.1: 8.8 / 10 HIGH source: nvd@nist.gov
NVD CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability subscore: 2.8 / 10
Impact subscore: 5.9 / 10
EPSS score: 0.0837 (probability of exploitation in next 30 days)
EPSS percentile: 92.40% vs all CVEs — higher = more likely to be exploited, as of 2026-05-24

European Union Vulnerability Database ENISA EUVD

ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.

EUVD ID: EUVD-2026-6172
Assigner: jpcert
Published: Feb 13, 2026, 3:39:03 AM
Updated: Feb 26, 2026, 2:44:20 PM
EUVD base score (CVSS 4.0): 8.7 / 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EUVD-reported EPSS: 8.3700
Vendors: Soliton Systems K.K.
Products: FileZen (V4.2.1 to V4.2.8)

FileZen (V5.0.0 to V5.0.10)

FileZen (V5.0.0 to V5.0.10)

FileZen (V4.2.1 to V4.2.8)
Aliases: GHSA-qgqm-fpvv-jgfh

ENISA description: FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.

EUVD references (2)

Affected products (2)

Vendor	Product	Versions	Platforms
Soliton Systems K.K.	FileZen	`V5.0.0 to V5.0.10` (affected)	—
Soliton Systems K.K.	FileZen	`V4.2.1 to V4.2.8` (affected)	—

Affected products — CPE 2.3 (1) NVD

NVD's normalized CPE 2.3 matchers, used by vendor tools (vulnerability scanners, asset managers) for automated detection. Compare with the CNA's free-text "Affected products" section above.

cpe:2.3:a:soliton:filezen:*:*:*:*:*:*:*:*

Remediations (9)

Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.

Patch Tuesday May 2026: Security Updates & CVE Analysis

web:zecurit.com

Get the complete breakdown of Microsoft's May 2026 Patch Tuesday. We analyze the latest security updates and all critical CVEs .

2026-05-14 15:20 UTC
Microsoft Patch Tuesday May 2026 - 120 Vulnerabilities Fixed, Including ...

web:cybersecuritynews.com

Microsoft's May 2026 Patch Tuesday lands with a heavy enterprise focus, fixing 120 vulnerabilities across Windows, Office, Azure, developer tools, and Microsoft 365 apps, including 29 remote code execution (RCE) flaws rated Critical.

2026-05-14 15:20 UTC
.NET and .NET Framework May 2026 servicing releases updates

web:devblogs.microsoft.com

Welcome to our combined .NET servicing updates for May 2026 . Let's get into the latest release of .NET & .NET Framework, here is a quick overview of what's new in our servicing releases: Security improvements .NET and .NET Framework have been refreshed with the latest update as of May 12, 2026 . This update contains security and non-security fixes. This month you will find that these CVEs ...

2026-05-14 15:20 UTC
Security Update Guide - Microsoft

web:portal.msrc.microsoft.com

The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.

2026-05-14 15:20 UTC
Microsoft's May 2026 Patch Tuesday Fixes 130+ Vulnerabilities ...

web:windowsreport.com

Microsoft has released its May 2026 Patch Tuesday updates for Windows 11 and Windows 10, shipping as KB5089549 and KB5087544. The updates include fixes for more than 130 security vulnerabilities across Windows, Office, SharePoint, DNS components, and core system services, as Bleeping Computer writes. While no publicly disclosed zero-day vulnerabilities were reported this month, the […]

2026-05-14 15:20 UTC
Microsoft addresses 137 vulnerabilities in May's Patch Tuesday ...

web:cyberscoop.com

Threats Microsoft addresses 137 vulnerabilities in May's Patch Tuesday, including 13 rated critical The high volume of vulnerabilities reflects a growing trend researchers have been anticipating as artificial intelligence models are deployed to find previously uncovered defects in code.

2026-05-14 15:20 UTC
Dangerous Fake Microsoft Windows Update Confirmed—Do Not Download

web:www.forbes.com

As security researchers warn about a dangerous Microsoft Windows update that isn't legitimate, users must pay close attention to what they are actually downloading.

2026-05-14 15:20 UTC
Microsoft May 2026 Patch Tuesday Fixes 130+ Vulnerabilities ... - LinkedIn

web:www.linkedin.com

Microsoft has released its May 2026 Patch Tuesday security updates, addressing more than 130 vulnerabilities across its software ecosystem, including Windows, Microsoft Office, SharePoint Server ...

2026-05-14 15:20 UTC
CISA Required Action

CISA KEV

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-03-17 Known ransomware campaign use: Unknown

2026-05-14 01:13 UTC

Vendor references (2)

References embedded in the original CVE record by the assigning CNA.

Web references (0)

DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.

No web references attached yet.

NVD-tagged references (3)

Reference list NVD curates from the CNA record, vendor advisories, and third-party reports. The tag chips below are NVD's analyst-assigned categories.

https://jvn.jp/en/jp/JVN84622767/ vultures@jpcert.or.jp Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108 134c704f-9b21-4f2e-91b3-4a467353bcc0 US Government Resource
https://www.soliton.co.jp/support/2026/006657.html vultures@jpcert.or.jp Vendor Advisory

Indicators (2)

IOCs linked to the auto-promoted Threat row.

Type	Value	VirusTotal	Attached
cve	`CVE-2026-25108`	no local data	2026-05-14 02:58 UTC
cwe	`CWE-78`	no local data	2026-05-14 02:58 UTC

AI Forensic Analysis

Only Available for Registered Users. Sign in to view.

Raw JSON

The full cvelistV5 record. Download as CVE-2026-25108.json.

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25108",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-25T04:55:24.116263Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-02-24",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T14:44:20.718Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-02-24T00:00:00.000Z",
            "value": "CVE-2026-25108 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "FileZen",
          "vendor": "Soliton Systems K.K.",
          "versions": [
            {
              "status": "affected",
              "version": "V5.0.0 to V5.0.10"
            }
          ]
        },
        {
          "product": "FileZen",
          "vendor": "Soliton Systems K.K.",
          "versions": [
            {
              "status": "affected",
              "version": "V4.2.1 to V4.2.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en-US",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "Improper neutralization of special elements used in an OS command ('OS Command Injection')",
              "lang": "en-US",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-13T04:36:19.553Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.soliton.co.jp/support/2026/006657.html"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN84622767/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2026-25108",
    "datePublished": "2026-02-13T03:39:03.795Z",
    "dateReserved": "2026-01-30T11:03:04.608Z",
    "dateUpdated": "2026-02-26T14:44:20.718Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}