CISA’s KEV listing signals active exploitation and urges organizations to address the vulnerability promptly.

Federal guidance requires remediation by March 17, 2026, with CISA mandating the deadline for FCEB agencies to fix the vulnerability.

Soliton recommends victims upgrade to V5.0.11+ and change all user passwords as a precaution after reports of at least one known exploit causing damage.

This marks another zero-day exploitation of FileZen, highlighting the need for timely patching and monitoring of related logs.

FileZen file-sharing appliances (both physical and virtual) are exposed to remote command injection after login, with exploitation possible even when antivirus scanning is enabled; the S variant is not affected.

Affected FileZen versions run from 4.2.1 to 4.2.8 and 5.0.0 to 5.0.10; users should upgrade to 5.0.11 or later to mitigate the risk.

FileZen is an appliance-based secure file transfer solution offering access controls, audit logs, antivirus scanning, and content sanitization, which are central to understanding the impact of this flaw.

Japan’s JPCERT notes FileZen logs directory changes through its file-monitoring feature; organizations should review logs for unauthorized access and consider password resets if suspicious activity is found.

The advisory emphasizes that exploitation requires an attacker to log in with general user privileges, underscoring the risk from credential compromise.

CISA has added CVE-2026-25108 to the Known Exploited Vulnerabilities (KEV) catalog due to active exploitation, with a CVSS v4 score of 8.7.

CVE-2026-25108 is an OS command injection vulnerability that allows an authenticated user to run arbitrary commands via crafted HTTP requests, with a CVSS score of 8.7.

Exploitation requires two conditions: the FileZen antivirus feature must be enabled and the attacker must have valid login access with general user privileges.