CVE-2026-25108 | THREATINT

Description

FileZen contains an OS command injection vulnerability. When FileZen Antivirus Check Option is enabled, a logged-in user may send a specially crafted HTTP request to execute an arbitrary OS command.

PUBLISHED Reserved 2026-01-30 | Published 2026-02-13 | Updated 2026-02-25 | Assigner jpcert

HIGH: 8.8CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA Known Exploited Vulnerability

Date added 2026-02-24 | Due date 2026-03-17

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

Improper neutralization of special elements used in an OS command ('OS Command Injection')

Product status

V5.0.0 to V5.0.10

affected

V4.2.1 to V4.2.8

affected

References

www.cisa.gov/...erabilities-catalog?field_cve=CVE-2026-25108 government-resource

www.soliton.co.jp/support/2026/006657.html

jvn.jp/en/jp/JVN84622767/

cve.org (CVE-2026-25108)

nvd.nist.gov (CVE-2026-25108)

Download JSON