[Japanese]

JVNDB-2026-000023

FileZen vulnerable to OS command injection

Overview

FileZen provided by Soliton Systems K.K. contains the following vulnerability.
  • OS command injection (CWE-78) - CVE-2026-25108
    • This vulnerability can be exploited when FileZen Antivirus Check Option is enabled
The developer states that attacks exploiting the vulnerability has been observed.

Soliton Systems K.K. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and Soliton Systems K.K. coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


Soliton Systems K.K.
  • FileZen versions from V5.0.0 to V5.0.10
  • FileZen versions from V4.2.1 to V4.2.8

The developer states that FileZen S is not affected by this vulnerability.
Impact

If a user logs-in to the affected product and sends a specially crafted HTTP request, an arbitrary OS command may be executed.
Solution

[Update the Firmware]
Update the firmware to the latest version according to the information provided by the developer.
This vulnerability has been addressed in the following firmware version.
  • FileZen V5.0.11
Vendor Information

Soliton Systems K.K.
CWE (What is CWE?)

  1. OS Command Injection(CWE-78) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2026-25108
References

  1. JVN : JVN#84622767
  2. JPCERT Alert : JPCERT-AT-2026-0004
Revision History

  • [2026/02/13]
      Web page was published
  • [2026/02/13]
      Overview was modified
      References : Content was added

Date Public2026/02/13
Date First Published2026/02/13
Date Last Updated2026/02/13