CISA has added CVE-2026-25108 to the Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Soliton Systems K.K FileZen. The Soliton Systems K.K FileZen OS Command Injection Vulnerability allows a user who logs in to the product to trigger an operating‑system command injection by sending a specially crafted HTTP request.
Technically, the issue is an OS command injection in FileZen that is exploitable via crafted HTTP requests during the login process. Successful exploitation permits execution of arbitrary operating‑system commands on the affected server. The National Vulnerability Database records a CVSS score of 8.8 (HIGH). A vendor patch and advisory are available from Soliton Systems (https://www.soliton.co.jp/support/2026/006657.html) and the JVN advisory is published at https://jvn.jp/en/jp/JVN84622767/.
CISA’s KEV designation indicates the vulnerability has been confirmed as actively exploited in the wild. Known ransomware campaign use is currently unknown. CISA has set a remediation deadline of 2026-03-17 for federal civilian executive branch (FCEB) agencies.
CISA’s required remediation action is: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable." FCEB agencies are directly affected by this KEV listing. All organisations that use FileZen should review their exposure, apply the vendor patch or mitigations, and consider discontinuing use if no mitigations are available.
For full technical details and vendor guidance, refer to the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-25108 and the CISA KEV catalogue.