ACCORDING to The U.S. Cybersecurity and Infrastructure Security Agency (CISA), Soliton Systems K.K FileZen has a remote command injection flaw tracked as CVE-2026-25108 added to the Known Exploited Vulnerabilities catalog. FileZen is described as a secure file transfer solution with access controls, activity logging and antivirus scanning.
The vulnerability could allow an authenticated user to execute arbitrary OS commands via specially crafted HTTP requests, and exploitation requires both that the BitDefender-based virus check feature is enabled and that an attacker has valid login access to the FileZen website. The flaw affects versions 5.0.0 to 5.0.10 and 4.2.1 to 4.2.8, with fixes in 5.0.11 or later, and there have been reports of active exploitation.
CISA orders federal agencies to address the vulnerability by 17 March 2026, while agencies and private organisations are advised to review the KEV catalog and update to mitigate the risk.