The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Soliton Systems K.K FileZen to its Known Exploited Vulnerabilities catalog.The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Soliton Systems K.K FileZen flaw, tracked as CVE-2026-25108 (CVSS v4 score of 8.7), to its Known Exploited Vulnerabilities (KEV) catalog.Soliton Systems K.K. FileZen is a secure file transfer solution that enables organizations to share and manage sensitive data safely. It provides access controls, activity logging, and antivirus scanning. The vulnerability is an operating system (OS) command injection that could allow an authenticated user to execute arbitrary commands via specially crafted HTTP requests.“Command Injection Vulnerability in a Specific Field on the Post-Logon Screen (CWE-78)” reads the advisory. “A remote attacker may be able to execute arbitrary OS commands within FileZen.”The vulnerability can be exploited only if two conditions are met: the FileZen virus check feature (BitDefender-based) is enabled, and an attacker has valid login access to the FileZen website, either through leaked credentials or successfully guessed user IDs and passwords.The flaw impacts Versions 5.0.0 to 5.0.10 and Versions 4.2.1 to 4.2.8. V5.0.11 or later address the flaw.Soliton is aware of the active exploitation of this flaw:“We have received at least one report of damage caused by the exploitation of this vulnerability.” reads the advisory. “For this vulnerability to occur, an attacker must log on to the web screen with general user privileges. If you have been attacked or suspected of being a victim of this vulnerability, please consider not only updating to V5.0.11 or later, but also changing all user passwords as a precaution, since an attacker could log on with at least one real account.”According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.CISA orders federal agencies to fix the vulnerability by March 17, 2026.Pierluigi PaganiniFollow me on Twitter: @securityaffairs and Facebook and Mastodon(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)“