ACCORDING to the Known Exploited Vulnerabilities Catalog, Soliton Systems K.K FileZen contains an OS command injection vulnerability that can be triggered when a user logs in to the affected product and sends a specially crafted HTTP request. The entry notes the vulnerability is CVE-2026-25108 and includes a related CWE reference (CWE-78). It also states that it is Unknown whether the vulnerability has been used in ransomware campaigns.
Action recommended is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The KEV record provides dates: Date Added 2026-02-24 and Due Date 2026-03-17, and links to external advisories such as JVN and NVD for further details.
Organisations relying on FileZen should review the vendor’s mitigations promptly and assess exposure within their environment, ensuring mitigations are implemented or the product is retired if no fixes exist. Subscribe to KEV updates to stay informed about any changes to this vulnerability.