TL;DR CISA added CVE-2026-25108 to its Known Exploited Vulnerabilities list after active exploitation of the FileZen command injection flaw. If you’re running FileZen, patch now or accept the consequences.
CISA doesn’t add things to the Known Exploited Vulnerabilities catalogue for fun. They add things because attackers are actively using them in the wild, right now, against real targets. So when CVE-2026-25108 — a command injection flaw in Soliton Systems’ FileZen network storage product — landed on the KEV list this week, that’s the intelligence community’s way of saying “stop reading newsletters and go patch your shit.”
Let’s talk about what FileZen is, why this vulnerability is serious, and why the fact that it’s on the KEV list means you have approximately zero time left.
What Is FileZen and Why Does It Matter
FileZen is a network-attached storage and file-sharing appliance made by Soliton Systems, a Japanese vendor. It’s widely deployed in Japanese government agencies and corporate environments for secure file transfer — the sort of product that sits on the perimeter, faces the internet, handles credential-authenticated file exchange, and gets patched roughly never. If you’re seeing a theme here, congratulations, you’ve been paying attention.
According to CISA’s advisory as documented by Security Affairs, CVE-2026-25108 is a command injection vulnerability in FileZen. CVSS score sits at 8.7 — high severity. The flaw allows a remote attacker to inject operating system commands through a vulnerable parameter, effectively gaining the ability to execute arbitrary code on the device.
HelpNetSecurity’s coverage confirmed active exploitation is underway, and Cypro’s analysis notes the flaw has been added to CISA’s Binding Operational Directive 22-01 catalogue, which means U.S. federal agencies have a hard deadline to patch. The CVE detail was also flagged by CyberPress as a priority remediation item.
Command injection on a file transfer appliance sitting on your network perimeter is as bad as it sounds. An attacker who can execute arbitrary OS commands on FileZen can read every file stored on it, use it as a pivot point into your internal network, install persistent backdoors, exfiltrate credentials, and generally treat your DMZ like a hotel lobby.
This Is a Familiar Pattern and It Should Make You Furious
File transfer appliances have been a primary attack vector for multiple high-profile campaigns over the past three years. MOVEit. GoAnywhere MFT. Accellion FTA. CrushFTP. These products sit on the perimeter, process sensitive data, have network access to internal systems, and routinely run for years without substantive security review because “it just works.” Until it doesn’t.
The Clop ransomware gang made file transfer appliances their signature attack vector. They exploited MOVEit in 2023 and hit hundreds of organizations simultaneously — a zero-day campaign that netted them more victims in a single coordinated push than most ransomware groups see in a year. As I documented in my post on Clop’s Oracle EBS Rampage in November 2025, exploitation of enterprise data-handling infrastructure is now a mature, systematized attack strategy. Clop, Maze, LockBit, and their successors all know that file transfer systems are the intersection of “holds sensitive data,” “faces the internet,” and “gets patched by nobody.” It’s a gift that keeps giving.
FileZen specifically has been hit before. CVE-2021-20659 was a previous path traversal flaw in FileZen that was exploited by Chinese state-linked actors in Japan — the Japan Cyber Emergency Response Team documented it at the time. The Japanese government issued warnings. Agencies were supposed to patch. And yet here we are five years later with a new critical exploit in the same product family.
If you’re running a network appliance that had a documented state-actor exploitation incident five years ago, it should be in a hardened, closely monitored network segment with egress restrictions, authentication logging, and patch SLAs measured in hours, not quarters. That’s apparently not what happened.
Who’s Getting Hit
The Purple-Ops analysis of CVE-2026-25108 confirms the CVSS 8.7 score and notes the vulnerability is being actively exploited in targeted campaigns. Given FileZen’s deployment profile — primarily Japanese government and corporate environments — the targeting picture points toward nation-state interest, specifically the kind of intelligence collection campaigns that have repeatedly targeted Japanese government networks.
Japan has been a high-priority target for both Chinese and North Korean state actors over the past several years, particularly around defence industry data, semiconductor intellectual property, and government communications. A command injection flaw in widely deployed government file transfer infrastructure is exactly the kind of entry point a patient APT operator would park on for months while building network access.
This isn’t speculation. My academic analysis in Protecting Submarine Cable Infrastructure through Satellite Surveillance and Artificial Intelligence addressed precisely this threat model — critical infrastructure nodes that handle sensitive data flows being used as persistent access points by state actors with long operational time horizons. FileZen deployments in Japanese government networks fit that threat model with depressing precision.
What You Need to Do Right Now
If you’re running FileZen, this section is the only part of this post that matters. Everything else is context. Here’s the action list:
Patch immediately. Check Soliton Systems’ security advisory for the patched version. Apply it. Do not schedule it for the next maintenance window. Do it in an emergency change window today.
If you can’t patch immediately, take the device offline. A FileZen appliance that’s internet-facing and unpatched is a liability, not an asset. Take it off the network until you can apply the fix.
Check for signs of compromise. Review FileZen access logs for anomalous command execution, unexpected user sessions, or large file access patterns from unusual IP addresses. If your FileZen doesn’t generate logs you can query, that’s a separate problem you also need to fix.
Audit what FileZen has access to internally. This is the question nobody asks until after an incident. What internal network segments can your FileZen appliance reach? What credentials are stored on it? What’s the blast radius if it’s been used as a pivot point? You need to know this answer today.
Segment it properly going forward. File transfer appliances should live in an isolated DMZ with tight egress controls and no direct access to internal file servers, Active Directory, or database infrastructure. If yours isn’t, fix the architecture while you’re dealing with the patching.
As I wrote in my post on Critical Fortinet FortiWeb Zero-Day Actively Exploited Since October, the window between “vulnerability disclosed” and “active exploitation underway” has been collapsing for years. With CVE-2026-25108, you’ve already missed the preventive window — it’s on the KEV list because exploitation is confirmed. You’re now in response mode. Act accordingly.
The broader lesson, which I’ve been flogging since my post on why device IPs should not be publicly visible, is that internet-facing appliances with management interfaces and authenticated access to internal data are walking attack vectors. Every one of them. Treating them as “set and forget” infrastructure is how you end up on CISA’s KEV list as a victim rather than a patch-compliant organization.
The Call-Out
CISA added this to the KEV list. That’s not a suggestion. That’s the intelligence community saying: this flaw is being used actively, against real targets, right now. Binding Operational Directive 22-01 gives U.S. federal agencies a patching deadline. You should pretend you have the same deadline, even if you don’t.
File transfer appliances get breached. They always have been. The list of products in this category that have been exploited in the last 36 months is longer than my coffee order. Until the industry decides to take perimeter appliance security seriously — and the incentives don’t currently point that way — we’re going to keep doing this dance.
Patch. It. Now.
