External risk intelligence

FileZen OS Command Injection Vulnerability

CVE advisoryKnown Exploit

CVE-2026-25108

A vulnerability in FileZen's Antivirus Check Option allows a logged-in user to execute arbitrary OS commands via crafted HTTP requests. This impacts system integrity and data confidentiality. Affected organizations face risks of unauthorized access and service disruption.

4Halo Surface Signal

OS Command Injection

Soliton Filezen

4.2.1 to before 5.0.11

External exposure likelihood

Halo Surface Signal score for CVE-2026-25108

FileZen is a file transfer appliance commonly deployed as an internet-facing gateway or web portal for external file exchange. The vulnerability is reachable via HTTP requests, which are the primary method of interaction for this type of service in typical edge-deployed configurations.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

The FileZen product has a vulnerability that could allow an authenticated user to execute arbitrary operating system commands. This occurs when the Antivirus Check Option is enabled. The flaw enables an attacker to send a specially crafted HTTP request to the system. This could lead to unauthorized system access or manipulation.

  • Vulnerable component: FileZen Antivirus Check Option
  • Core weakness: OS command injection
  • Main business impact: Unauthorized command execution

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to execute arbitrary operating system commands on a targeted system. An attacker with prior user access can send a specially crafted HTTP request, enabling them to take control of the system. This could lead to unauthorized data access, modification, or disruption of services, posing a significant risk to the affected organization.

  • Exposure condition: FileZen Antivirus Check Option enabled.
  • Attacker starting point: Logged-in user.
  • Trigger and result: HTTP request executes OS command.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability exists in FileZen that allows a logged-in user to execute arbitrary operating system commands through specially crafted HTTP requests. This could enable attackers to compromise systems by exploiting the antivirus check option. The Cybersecurity and Infrastructure Security Agency (CISA) has added this to its Known Exploited Vulnerabilities catalog, indicating a potential for widespread exploitation. Organizations should treat this vulnerability with urgency.- Attackers likely have moderate skill.

  • Requires authenticated access and specific option enabled.
  • High business risk and urgent action required.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The FileZen Antivirus Check Option presents a security risk due to an OS command injection vulnerability. A logged-in user can exploit this by sending a crafted HTTP request, potentially leading to the execution of arbitrary operating system commands. This could impact system integrity and data confidentiality.

  • Identify all FileZen assets.
  • Disable the Antivirus Check Option.
  • Apply vendor updates and verify.
  • Monitor system activity.

Frequently asked questions

What is the primary function of FileZen and how does its Antivirus Check Option relate to the discovered vulnerability?

FileZen is a product that facilitates file transfers. The vulnerability within FileZen is specifically tied to its Antivirus Check Option. When this option is enabled, a logged-in user can exploit a flaw by sending a specially crafted HTTP request to execute arbitrary operating system commands on the affected system.

What type of weakness does CVE-2026-25108 represent, and how can it be triggered by an authenticated user?

CVE-2026-25108 represents an OS command injection vulnerability (CWE-78). An authenticated, logged-in user can trigger this weakness by sending a specifically crafted HTTP request to the FileZen system, provided the Antivirus Check Option is enabled.

What is the potential impact of exploiting the FileZen vulnerability, and are there any scope negations for this threat?

Exploiting this vulnerability allows an attacker to execute arbitrary OS commands on the targeted FileZen system. This could lead to unauthorized data access, modification, or disruption of services. The scope is limited to the system where FileZen is deployed and does not appear to have explicit scope negations mentioned in the provided context.

Why has CISA added CVE-2026-25108 to its Known Exploited Vulnerabilities catalog, and what does this indicate about its relevance?

CISA has added CVE-2026-25108 to its Known Exploited Vulnerabilities catalog because the FileZen product is often deployed as an internet-facing gateway or web portal. The vulnerability is reachable via HTTP requests, making it a likely target for exploitation in edge-deployed configurations, thus highlighting its significant relevance and potential for widespread compromise.

What practical steps should an organization take to respond to the FileZen OS command injection vulnerability?

Organizations should first identify all FileZen assets. A crucial immediate step is to disable the Antivirus Check Option to mitigate the vulnerability. Additionally, apply any available vendor updates for FileZen and verify their successful implementation. Continuous monitoring of system activity is also recommended to detect any signs of compromise.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified