Detect Soliton FileZen OS Command Injection Exploitation (CVE-2026-25108) in Splunk
Detects exploitation of CVE-2026-25108, an OS command injection vulnerability (CWE-78) in Soliton Systems K.K FileZen file-sharing appliance. This vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog and allows unauthenticated or authenticated attackers to inject arbitrary OS commands through vulnerable input fields, potentially leading to full system compromise.
MITRE ATT&CK
SPL Detection Query
index=* sourcetype IN ("access_combined", "access_combined_wcookie", "cisco:asa", "pan:traffic", "syslog", "wineventlog")
(
(
(uri="*/cgi-bin/*" OR uri="*/admin/*" OR uri="*/upload*" OR uri="*/download*" OR uri="*/login*")
AND (uri="*%3B*" OR uri="*%7C*" OR uri="*%60*" OR uri="*;*" OR uri="*|*" OR uri="*`*" OR uri="*$(*)" OR uri="*&&*")
)
OR
(
host IN ("filezen", "FileZen", "soliton")
AND (uri="*wget*" OR uri="*curl*" OR uri="*bash*" OR uri="*nc *" OR uri="*chmod*" OR uri="*python*")
)
OR
(
message="*CVE-2026-25108*" OR message="*FileZen*command*injection*"
)
)
| eval injection_chars=if(match(uri, "[;&|`$(){}\[\]]"), "true", "false")
| eval suspicious_cmd=case(
match(uri, "wget|curl|bash|sh |/bin/|python|perl|ruby"), "shell_download_or_exec",
match(uri, "nc |ncat|socat"), "reverse_shell_tool",
match(uri, "id;|whoami|/etc/passwd|/etc/shadow"), "recon_command",
true(), "other"
)
| eval cve="CVE-2026-25108"
| eval severity="critical"
| table _time, src_ip, dest_ip, host, uri, status, injection_chars, suspicious_cmd, cve, severity
| sort -_timeDetects OS command injection attempts against Soliton FileZen via web access logs by identifying shell metacharacters and known command strings in HTTP request URIs targeting common FileZen administrative and file-handling endpoints.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized penetration testing or vulnerability assessments that submit injection payloads for validation purposes
- Legitimate file uploads with special characters in filenames that appear in access logs as encoded metacharacters
- Internal monitoring tools that probe administrative endpoints using scripted requests resembling injection attempts
- URL encoding of legitimate query parameters that decode to shell-like syntax in log analysis
Other platforms for CVE-2026-25108
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1FileZen-style CGI Command Injection via HTTP GET parameter
Expected signal: Web server access log records GET request to /cgi-bin/upload.cgi with semicolon character in query string. Process audit log shows web server process (httpd/nginx) spawning /bin/sh or /bin/bash as child process executing 'id' command.
- Test 2Post-Exploitation Reverse Shell Download via Injected wget
Expected signal: Web server access log shows POST to /admin/config.cgi with pipe and wget in POST body. Network telemetry shows outbound TCP connection from web server host to ATTACKER_HOST:8080. File creation event for /tmp/payload.sh. Process execution of wget and chmod as children of web server process.
- Test 3Credential and Configuration Exfiltration via Piped cat Command
Expected signal: Web server log records GET request to /download endpoint with URL-encoded pipe and cat command sequence. Network telemetry shows outbound POST connection from FileZen host to ATTACKER_HOST:9090. Process audit captures cat /etc/passwd executed as child of web server process, followed by curl data exfiltration subprocess.
- Test 4Webshell Implantation via Command Injection for Persistent Access
Expected signal: Web server access log records POST to CGI endpoint with semicolon and echo command in body. File creation event for /var/www/html/status.php with PHP content. Process tree shows web server spawning sh executing echo redirection. Subsequent access to /var/www/html/status.php with cmd parameter would indicate webshell usage.
Unlock Pro Content
Get the full detection package for CVE-2026-25108 including response playbook, investigation guide, and atomic red team tests.