Filezen
CVE-2026-25108
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.
AnalysisAI
FileZen contains an OS command injection vulnerability (CVE-2026-25108, CVSS 8.8) that allows authenticated users to execute arbitrary commands when the Antivirus Check Option is enabled. KEV-listed with EPSS 18.6%, this vulnerability in the Japanese file-sharing appliance has been actively exploited in campaigns targeting organizations in Japan and Asia-Pacific.
Technical ContextAI
FileZen is a file-sharing appliance manufactured by Soliton Systems, widely deployed in Japanese government agencies and enterprises. When the antivirus check option is enabled, user-uploaded filenames or content is incorporated into OS commands for virus scanning without proper sanitization. An authenticated user can inject shell commands through crafted HTTP requests that are executed with the privileges of the FileZen service.
RemediationAI
Apply FileZen security update immediately. If unable to patch, disable the Antivirus Check Option temporarily. Restrict FileZen access to authorized networks. Audit uploaded files and user accounts for suspicious activity. Review stored files for potential data exposure.
FileZen (V3.0.0 to V4.2.7 and V5.0.0 to V5.0.2) allows a remote attacker with administrator rights to execute arbitrary
Directory traversal vulnerability in FileZen versions from V3.0.0 to V4.2.2 allows remote attackers to upload an arbitra
FileZen V3.0.0 to V4.2.1 allows remote attackers to execute arbitrary OS commands via unspecified vectors. Rated critica
Directory traversal vulnerability in FileZen V3.0.0 to V4.2.1 allows remote attackers to upload an arbitrary file in the
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today