CVE-2026-25108

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

F

ileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.

References

Link	Resource
https://jvn.jp/en/jp/JVN84622767/	Third Party Advisory
https://www.soliton.co.jp/support/2026/006657.html	Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108	US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:soliton:filezen:*:*:*:*:*:*:*:*

History

24 Feb 2026, 21:38

Type	Values Removed	Values Added
First Time		Soliton filezen Soliton
References	~~() https://jvn.jp/en/jp/JVN84622767/ -~~	() https://jvn.jp/en/jp/JVN84622767/ - Third Party Advisory
References	~~() https://www.soliton.co.jp/support/2026/006657.html -~~	() https://www.soliton.co.jp/support/2026/006657.html - Vendor Advisory
References	~~() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108 -~~	() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108 - US Government Resource
CPE		cpe:2.3:a:soliton:filezen::::::::

24 Feb 2026, 19:21

Type	Values Removed	Values Added
References		() https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108 -
Summary		(es) FileZen contiene una vulnerabilidad de inyección de comandos del sistema operativo. Cuando la opción de verificación de antivirus de FileZen está habilitada, un usuario autenticado puede enviar una solicitud HTTP especialmente diseñada para ejecutar un comando arbitrario del sistema operativo.

13 Feb 2026, 14:23

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-13 04:15

Updated : 2026-02-24 21:38

NVD link : CVE-2026-25108

Mitre link : CVE-2026-25108

CVE.ORG link : CVE-2026-25108

JSON object : View

Products Affected

filezen

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-25108", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-13T04:15:53.410", "references": [{"url": "https://jvn.jp/en/jp/JVN84622767/", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.soliton.co.jp/support/2026/006657.html", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108", "tags": ["US Government Resource"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command."}, {"lang": "es", "value": "FileZen contiene una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo. Cuando la opci\u00f3n de verificaci\u00f3n de antivirus de FileZen est\u00e1 habilitada, un usuario autenticado puede enviar una solicitud HTTP especialmente dise\u00f1ada para ejecutar un comando arbitrario del sistema operativo."}], "lastModified": "2026-02-24T21:38:18.607", "cisaActionDue": "2026-03-17", "cisaExploitAdd": "2026-02-24", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:soliton:filezen:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C8030A0-947B-4FFA-B406-FF1C1A9C8812", "versionEndExcluding": "5.0.11", "versionStartIncluding": "4.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Soliton Systems K.K FileZen OS Command Injection Vulnerability"}