{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25108", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-01-30T11:03:04.608Z", "datePublished": "2026-02-13T03:39:03.795Z", "dateUpdated": "2026-02-26T14:44:20.718Z"}, "containers": {"cna": {"affected": [{"vendor": "Soliton Systems K.K.", "product": "FileZen", "versions": [{"version": "V5.0.0 to V5.0.10", "status": "affected"}]}, {"vendor": "Soliton Systems K.K.", "product": "FileZen", "versions": [{"version": "V4.2.1 to V4.2.8", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command."}], "problemTypes": [{"descriptions": [{"description": "Improper neutralization of special elements used in an OS command ('OS Command Injection')", "lang": "en-US", "cweId": "CWE-78", "type": "CWE"}]}], "references": [{"url": "https://www.soliton.co.jp/support/2026/006657.html"}, {"url": "https://jvn.jp/en/jp/JVN84622767/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-13T04:36:19.553Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25108", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T04:55:24.116263Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2026-02-24", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108"}}}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108", "tags": ["government-resource"]}], "timeline": [{"time": "2026-02-24T00:00:00.000Z", "lang": "en", "value": "CVE-2026-25108 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:20.718Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25108", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-25T04:55:24.116263Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2026-02-24", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108"}}}], "timeline": [{"lang": "en", "time": "2026-02-24T00:00:00.000Z", "value": "CVE-2026-25108 added to CISA KEV"}], "references": [{"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108", "tags": ["government-resource"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-13T13:08:28.786Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Soliton Systems K.K.", "product": "FileZen", "versions": [{"status": "affected", "version": "V5.0.0 to V5.0.10"}]}, {"vendor": "Soliton Systems K.K.", "product": "FileZen", "versions": [{"status": "affected", "version": "V4.2.1 to V4.2.8"}]}], "references": [{"url": "https://www.soliton.co.jp/support/2026/006657.html"}, {"url": "https://jvn.jp/en/jp/JVN84622767/"}], "descriptions": [{"lang": "en", "value": "FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-78", "description": "Improper neutralization of special elements used in an OS command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-02-13T04:36:19.553Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25108", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:20.718Z", "dateReserved": "2026-01-30T11:03:04.608Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2026-02-13T03:39:03.795Z", "assignerShortName": "jpcert"}, "dataVersion": "5.2"}

{"cisaActionDue": "2026-03-17", "cisaExploitAdd": "2026-02-24", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Soliton Systems K.K FileZen OS Command Injection Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:soliton:filezen:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C8030A0-947B-4FFA-B406-FF1C1A9C8812", "versionEndExcluding": "5.0.11", "versionStartIncluding": "4.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command."}, {"lang": "es", "value": "FileZen contiene una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo. Cuando la opci\u00f3n de verificaci\u00f3n de antivirus de FileZen est\u00e1 habilitada, un usuario autenticado puede enviar una solicitud HTTP especialmente dise\u00f1ada para ejecutar un comando arbitrario del sistema operativo."}], "id": "CVE-2026-25108", "lastModified": "2026-02-24T21:38:18.607", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-02-13T04:15:53.410", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN84622767/"}, {"source": "vultures@jpcert.or.jp", "tags": ["Vendor Advisory"], "url": "https://www.soliton.co.jp/support/2026/006657.html"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-25108"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "vultures@jpcert.or.jp", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[V5.0.0,V5.0.10]"}}], "product": "filezen", "vendor": "soliton_systems_k.k."}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[V4.2.1,V4.2.8]"}}], "product": "filezen", "vendor": "soliton_systems_k.k."}], "analysis": {"en": {"generated_at": "2026-04-22T19:58:47.038946+00:00", "value": {"mitigation_remediation": ["Disable the FileZen Antivirus Check option to eliminate the command injection vector until a patch is available.", "Apply the vendor\u2019s latest patch or upgrade to a fixed release as announced on Soliton\u2019s support site.", "Monitor web application logs for anomalous HTTP requests targeting the antivirus check endpoint and review any unexpected command executions."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Soliton Systems FileZen. No specific version information was supplied.", "description_and_impact": "A flaw in FileZen\u2019s antivirus check option permits an authenticated, logged\u2011in user to send a crafted HTTP request that is interpreted as an OS command, enabling arbitrary command execution on the host. The vulnerability is an OS command injection, classified as CWE\u201178, and can compromise confidentiality, integrity, and availability by allowing an attacker to run any command with the privileges of the FileZen service.", "risk_and_exploitability": "The flaw carries a CVSS score of 8.7 and an EPSS score of 8\u202f%, indicating a high likelihood of exploitation. It is listed in CISA\u2019s Known Exploited Vulnerabilities catalog, confirming active or recent exploitation. Attackers must be authenticated and exploit the enabled antivirus check option; once they do, they can execute any OS command on the underlying system."}}}}, "created": "2026-02-13T21:28:50.656155+00:00", "updated": "2026-04-22T20:00:08.856780+00:00", "vendors": ["soliton_systems_k.k.", "soliton_systems_k.k.$PRODUCT$filezen"]}