CISA Warns of Actively Exploited FileZen Command Injection Vulnerability
CISA adds CVE-2026-25108 to the Known Exploited Vulnerabilities catalog after confirming active exploitation of an OS command injection flaw in Soliton Systems FileZen file-sharing appliances used by government agencies and enterprises.
CISA added CVE-2026-25108 to the Known Exploited Vulnerabilities (KEV) catalog on February 24, 2026, after confirming active exploitation of an OS command injection vulnerability in Soliton Systems' FileZen file-sharing appliances. Federal agencies are required to apply patches or mitigations by March 10.
Vulnerability Details
CVE-2026-25108 is an OS command injection flaw in FileZen's web management interface that allows an authenticated attacker to execute arbitrary commands on the underlying operating system. The vulnerability exists in the file upload handling component, where user-supplied filenames are passed to shell commands without adequate sanitization. An attacker with valid credentials — even low-privilege ones — can craft a filename that injects arbitrary OS commands during the upload process.
Active Exploitation
CISA's addition to the KEV catalog confirms that the vulnerability is being actively exploited in the wild. FileZen appliances are commonly deployed in government agencies, healthcare organizations, and financial institutions for secure file transfer between internal networks and external partners. The combination of a relatively low exploitation barrier (authenticated access only, no admin privileges required) and high-value deployment environments makes this an attractive target for both state-sponsored and financially motivated threat actors.
Mitigation Guidance
Soliton Systems released a patch for the vulnerability on February 20, and CISA recommends immediate application. For organizations that cannot patch immediately, CISA advises restricting access to the FileZen web management interface to trusted networks only, enabling multi-factor authentication for all FileZen accounts, and monitoring for unusual file upload patterns that might indicate exploitation attempts. Organizations should also review their FileZen access logs for signs of prior compromise, as the vulnerability may have been exploited before the patch was available.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.