Executive Summary

On February 24, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert adding a critical vulnerability, CVE-2026-25108, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw is an OS command injection vulnerability in the FileZen secure file transfer appliance, developed by Soliton Systems K.K.. Its inclusion in the KEV catalog confirms active, in-the-wild exploitation by malicious actors. This type of vulnerability is extremely dangerous as it can allow an attacker to execute arbitrary commands on the device's operating system, effectively leading to a full takeover. U.S. federal agencies are now required to remediate this flaw, and all other organizations are strongly advised to patch immediately.

Vulnerability Details

CVE-2026-25108: Soliton Systems FileZen OS Command Injection

• Description: This vulnerability allows a remote attacker to inject and execute arbitrary operating system commands on a vulnerable FileZen appliance. The flaw likely exists in a web-accessible component that fails to properly sanitize user-supplied input before passing it to a system shell.
• Impact: A successful exploit provides the attacker with Remote Code Execution (RCE), typically with the privileges of the web server user. This allows the attacker to install backdoors, steal sensitive data being transferred through the appliance, pivot to other systems on the internal network, or use the device as part of a botnet.
• Exploitation Note: Reports indicate that attackers are using AI-driven scanners to rapidly identify vulnerable FileZen instances on the internet and then using AI-generated shellcode to establish persistence.

Affected Systems

• Soliton Systems K.K. FileZen file transfer appliance. Organizations must refer to Soliton's security advisory for the specific affected versions.

Exploitation Status

CVE-2026-25108 is being actively exploited. Secure file transfer appliances are a high-value target for attackers because they are internet-facing, often process sensitive data, and can serve as a beachhead into a target's network. The use of automated, AI-enhanced tools for discovery and exploitation means that any unpatched, internet-accessible FileZen device is at immediate risk of compromise.

Cyber Observables for Detection

Security teams should monitor web server logs on their FileZen appliances for suspicious requests that may indicate exploitation attempts:

• Look for URL parameters or POST body content containing shell metacharacters like ;, |, &&, $(...), or `.
• An example might be a request to a legitimate script with an added command: GET /some/script.php?filename=test.txt;whoami.

Detection Methods

1. Vulnerability Scanning: Use vulnerability scanners with updated definitions to identify vulnerable FileZen appliances on your network perimeter.
2. Web Application Firewall (WAF) / IPS: Deploy a WAF or Intrusion Prevention System with signatures designed to detect and block OS command injection attempts. This is a form of D3FEND's D3-ITF - Inbound Traffic Filtering.
3. Log Analysis: Forward web access logs from FileZen devices to a SIEM. Create detection rules to alert on the presence of shell metacharacters or common commands (whoami, id, uname, wget, curl) in URL requests.

Remediation Steps

1. Apply Patches Immediately: The primary and most urgent action is to apply the security patches provided by Soliton Systems K.K. Since this is an actively exploited RCE vulnerability, patching should be considered an emergency change. This is a direct application of D3FEND's D3-SU - Software Update.
2. Restrict Access: If patching is not immediately possible, restrict access to the device's management interface to a set of trusted IP addresses. This is a temporary measure and does not replace the need to patch.
3. Hunt for Compromise: Given the active exploitation, organizations with vulnerable devices should assume they may have been compromised. Security teams should review logs for past signs of exploitation, check for any unauthorized files or processes on the appliance, and monitor for any unusual outbound network traffic.