CISA Flags Actively Exploited Vuln

The vulnerability, an OS command injection flaw, allows a remote, authenticated attacker to execute arbitrary commands. This is achieved by sending a specifically crafted HTTP request to a particular field on the screen after logging in, potentially with compromised low-level account credentials. The exploit is only possible if the antivirus scanning feature, which uses a BitDefender engine, is enabled on the appliance. Tokyo-based Soliton Systems, the developer of FileZen, has confirmed receiving multiple reports of damage from attackers exploiting this vulnerability. While there has been public speculation linking the flaw to a ransomware incident at Washington Hotel in Japan, the KEV listing itself does not confirm its use in ransomware campaigns. Federal civilian agencies in the U.S. are required to apply the patch by March 17, 2026. This isn't the first time FileZen appliances have been targeted. In 2021, threat actors chained two separate vulnerabilities (CVE-2020-5639 and CVE-2021-20655) to breach systems. That campaign, which targeted corporate and government entities primarily in Japan, involved uploading malicious files and then executing them with elevated privileges. The addition of a vulnerability to the CISA KEV catalog signifies it's not a theoretical threat, but one with reliable evidence of active, real-world exploitation. For a CVE to be listed, it must have an assigned ID, confirmed exploitation in the wild, and clear remediation guidance available. This helps organizations prioritize patching based on immediate risk rather than just a high CVSS score.