CVE-2026-25108 Microsoft Sentinel · KQL

Detect Soliton FileZen OS Command Injection Exploitation (CVE-2026-25108) in Microsoft Sentinel

Detects exploitation of CVE-2026-25108, an OS command injection vulnerability (CWE-78) in Soliton Systems K.K FileZen file-sharing appliance. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog and allows unauthenticated or authenticated attackers to inject arbitrary OS commands through vulnerable input fields, potentially leading to full system compromise.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation Impact

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let FileZenIPs = dynamic([]);
let SuspiciousCommands = dynamic(['wget','curl','bash','sh','nc','ncat','python','perl','ruby','chmod','chown','id','whoami','uname','cat /etc/passwd','base64']);
union
(
  CommonSecurityLog
  | where TimeGenerated > ago(7d)
  | where DeviceProduct has_any ("FileZen", "filezen")
  | where RequestURL has_any ('upload','download','admin','config','login')
  | where RequestURL matches regex @"[;&|`$(){}\[\]]"
  | extend SuspiciousChars = extract(@"([;&|`$(){}\[\]]{1,})", 1, RequestURL)
  | project TimeGenerated, SourceIP, DestinationIP, RequestURL, SuspiciousChars, DeviceVendor, DeviceProduct, Activity
),
(
  AzureActivity
  | where TimeGenerated > ago(7d)
  | where ResourceProviderValue == "MICROSOFT.SECURITY"
  | where Properties has_any ("FileZen", "CVE-2026-25108")
  | project TimeGenerated, Caller, OperationName, ResourceGroup, Properties
),
(
  SecurityAlert
  | where TimeGenerated > ago(7d)
  | where AlertName has_any ("command injection", "FileZen", "CVE-2026-25108")
  | project TimeGenerated, AlertName, AlertSeverity, Entities, ExtendedProperties
),
(
  W3CIISLog
  | where TimeGenerated > ago(7d)
  | where csUriStem has_any ("/cgi-bin/", "/admin/", "/upload", "/download")
  | where csUriQuery matches regex @"[;&|`$(){}\[\]]"
  | where csUserAgent !in ("GoogleBot", "BingBot")
  | extend InjectionAttempt = extract(@"([;&|`]{1,}[^&\s]{3,})", 1, csUriQuery)
  | where isnotempty(InjectionAttempt)
  | project TimeGenerated, cIP, csHost, csUriStem, csUriQuery, InjectionAttempt, scStatus
)
| extend Severity = "Critical"
| extend CVE = "CVE-2026-25108"
| extend Tactic = "Initial Access / Execution"
| order by TimeGenerated desc
critical severity medium confidence

Detects potential OS command injection attempts against Soliton FileZen appliances by monitoring for shell metacharacters in HTTP request URLs and query strings, as well as SIEM alerts referencing the CVE. Also correlates IIS/web server logs for injection patterns in CGI and admin endpoints.

Data Sources

CommonSecurityLogW3CIISLogSecurityAlertAzureActivity

Required Tables

CommonSecurityLogW3CIISLogSecurityAlertAzureActivity

False Positives & Tuning

  • Legitimate administrative scripts that pass shell-like syntax in URL parameters for non-malicious purposes
  • Vulnerability scanners or penetration testing tools running authorized assessments against the appliance
  • URL-encoded special characters in file names uploaded through the FileZen interface that decode to metacharacters
  • Security monitoring agents that generate alerts with CVE references during routine scanning

Other platforms for CVE-2026-25108

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1FileZen-style CGI Command Injection via HTTP GET parameter

    Expected signal: Web server access log records GET request to /cgi-bin/upload.cgi with semicolon character in query string. Process audit log shows web server process (httpd/nginx) spawning /bin/sh or /bin/bash as child process executing 'id' command.

  2. Test 2Post-Exploitation Reverse Shell Download via Injected wget

    Expected signal: Web server access log shows POST to /admin/config.cgi with pipe and wget in POST body. Network telemetry shows outbound TCP connection from web server host to ATTACKER_HOST:8080. File creation event for /tmp/payload.sh. Process execution of wget and chmod as children of web server process.

  3. Test 3Credential and Configuration Exfiltration via Piped cat Command

    Expected signal: Web server log records GET request to /download endpoint with URL-encoded pipe and cat command sequence. Network telemetry shows outbound POST connection from FileZen host to ATTACKER_HOST:9090. Process audit captures cat /etc/passwd executed as child of web server process, followed by curl data exfiltration subprocess.

  4. Test 4Webshell Implantation via Command Injection for Persistent Access

    Expected signal: Web server access log records POST to CGI endpoint with semicolon and echo command in body. File creation event for /var/www/html/status.php with PHP content. Process tree shows web server spawning sh executing echo redirection. Subsequent access to /var/www/html/status.php with cmd parameter would indicate webshell usage.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-25108 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0004Privilege EscalationTA0040Impact

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.004Unix ShellT1105Ingress Tool TransferT1136Create Account

Same Tactic: Initial Access

Popular Detections