Published:2026/02/13 Last Updated:2026/02/13
JVN#84622767
FileZen vulnerable to OS command injection
Critical
Overview
FileZen provided by Soliton Systems K.K. contains an OS command injection vulnerability.
Products Affected
- FileZen versions from V5.0.0 to V5.0.10
- FileZen versions from V4.2.1 to V4.2.8
Description
FileZen provided by Soliton Systems K.K. contains the following vulnerability.
- OS command injection (CWE-78)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.7
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base Score 8.8
- CVE-2026-25108
- This vulnerability can be exploited when FileZen Antivirus Check Option is enabled
Impact
If a user logs-in to the affected product and sends a specially crafted HTTP request, an arbitrary OS command may be executed.
Solution
Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.
This vulnerability has been addressed in the following firmware version.
- FileZen V5.0.11
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Soliton Systems K.K. | Vulnerable | 2026/02/13 | Soliton Systems K.K. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Soliton Systems K.K. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Soliton Systems K.K. coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
JPCERT-AT-2026-0004 Alert Regarding OS Command Injection Vulnerability (CVE-2026-25108) in FileZen (Text in Japanese) |
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2026-25108 |
| JVN iPedia |
JVNDB-2026-000023 |
Update History
- 2026/02/13
- Information under the section "Description" and "Other Information" was updated