U.S. cybersecurity authorities have issued an urgent warning regarding CVE-2026-25108, a critical OS command injection vulnerability affecting FileZen, a file-sharing and transfer platform developed by Soliton Systems K.K.
The vulnerability has now been officially added to the Known Exploited Vulnerabilities (KEV) Catalog, confirming that attackers are actively abusing the flaw in real-world environments. Vendor reports indicate multiple incidents involving system damage caused by exploitation attempts, elevating the urgency for immediate patching.
CVE-2026-25108
CVE-2026-25108 is classified as an OS command injection flaw, a dangerous class of vulnerability that occurs when applications fail to properly sanitize user input before passing it to system shells.
Potential attacker capabilities include:
- Executing arbitrary operating system commands
- Manipulating or deleting files
- Installing malware or backdoors
- Establishing persistent access
- Moving laterally within internal networks
Because command injection can provide direct system-level access without complex exploitation chains, it remains one of the most effective attack vectors against enterprise infrastructure.
