Critical Vulnerability in FileZen File Transfer App Allows Arbitrary Command Execution
A significant security flaw has been identified in Soliton Systems K.K.’s FileZen file transfer application, potentially enabling attackers to execute arbitrary system commands on affected systems. This vulnerability, designated as CVE-2026-25108, carries a CVSS v3.0 base score of 8.8, highlighting its severity.
Understanding the Vulnerability
The core of this issue lies in an OS command injection vulnerability (CWE-78) within FileZen’s processing mechanism, specifically when the Antivirus Check Option is activated. Authenticated users can exploit this flaw by sending specially crafted HTTP requests to the vulnerable FileZen instance, thereby gaining the ability to execute commands on the underlying operating system.
Scope of the Impact
FileZen is a widely adopted secure file transfer and sharing system utilized by enterprises for data exchange both across organizations and within internal networks. It’s important to note that the FileZen S variant remains unaffected by this vulnerability.
The affected versions include:
– V5.0.0 through V5.0.10
– V4.2.1 through V4.2.8
Potential Consequences
If exploited, this vulnerability allows authenticated attackers to send malicious HTTP requests that can execute arbitrary OS-level commands with elevated privileges. Such exploitation could lead to:
– Full compromise of the affected appliance
– Unauthorized manipulation of files
– Establishment of persistent access for further exploitation within the network
Given that FileZen systems are often exposed to enterprise networks, the risk extends to data confidentiality and system integrity.
Observed Exploitation
Soliton Systems K.K. has confirmed that there have been observed attempts to exploit this vulnerability in the wild, indicating active use of this flaw prior to its patching.
Mitigation Measures
To address this critical issue, Soliton Systems has released a firmware update. Users are strongly advised to upgrade to FileZen firmware version V5.0.11 or later, which includes security fixes that neutralize the OS command injection vector.
Recommendations for Users
– Immediate Update: Upgrade to the latest firmware version to mitigate the vulnerability.
– Review Access Controls: Ensure that only authorized personnel have access to the FileZen system.
– Monitor System Logs: Regularly check for any unusual activities or unauthorized access attempts.
– Disable Unnecessary Features: If the Antivirus Check Option is not essential, consider disabling it until the system is updated.
Conclusion
The discovery of CVE-2026-25108 in FileZen underscores the critical importance of timely software updates and vigilant system monitoring. Organizations relying on FileZen for secure file transfers must act promptly to apply the necessary patches and review their security protocols to prevent potential exploitation.
