Published:2021/02/16  Last Updated:2021/03/05

FileZen vulnerable to OS command injection


FileZen provided by Soliton Systems K.K. contains an OS command injection vulnerability.

Products Affected

  • FileZen versions from V3.0.0 to V4.2.7
  • FileZen versions from V5.0.0 to V5.0.2


FileZen provided by Soliton Systems K.K. is an appliance for secure file transfer and sharing by mail or an web interface.
FileZen contains an OS command injection vulnerability (CWE-78).


A remote attacker who obtained the administrative account of this product may execute an arbitrary OS command.


Update the Firmware
Update the firmware to the latest version according to the information provided by the developer.
This vulnerability has been already addressed in the following firmware versions.

  • FileZen V4.2.8
  • FileZen V5.0.3

Apply workarounds
Applying workarounds may mitigate the impacts of this vulnerability.
The developer recommends applying following mitigations to this product.

  • Disabe the initial administrator account "admin"
  • Change the System Administrator account's ID and Password
  • Set the System Administrator account to prevent log on from the internet

For more information, refer to the information provided by the developer (in Japanese).

Vendor Status

Vendor Status Last Update Vendor Notes
Soliton Systems K.K. Vulnerable 2021/03/05 Soliton Systems K.K. website


  1. Information-technology Promotion Agency, Japan (IPA)
    Regarding OS Command Injection vulnerability in FileZen (JVN#58774946) (in Japanese)

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 9.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 9.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


Soliton Systems K.K. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Soliton Systems K.K. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert JPCERT-AT-2021-0009
Alert Regarding Vulnerability (CVE-2021-20655) in FileZen
JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2021-20655
JVN iPedia JVNDB-2021-000015

Update History

Information under the section "References" and "Other Information" was updated.
Information under the section "Solution" was updated.
Soliton Systems K.K. update status