Malicious actors are targeting companies and government organizations using two vulnerabilities in the popular file-sharing server Soliton FileZen to steal sensitive data.

The two flaws in question are CVE-2020-5639 and CVE-2021-20655. The first bug is a path traversal issue that allows a remote attacker to conduct directory traversal attacks via a specially crafted HTTP request. The second flaw is an OS command injection issue that allows a remote user to execute arbitrary shell commands on the target system.

Both bugs have been used as part of a widespread hacking campaign, with the Japanese Prime Minister’s Cabinet Office being one of the targets. The breach occurred in January this year when hackers gained unauthorized access to the agency’s FileZen servers and stole confidential personal information for 231 people (name, affiliation, contact information, etc.)

Soliton addressed both flaws in FileZen solutions with the release of firmware versions V4.2.8 and V5.0.3. The company has advised its customers to change all admin account passwords and reset access-control lists.