Progress ShareFile Has a Full Server Takeover Chain — 30,000 Instances Are Exposed

CybrPulse

CybrPulse

3 min read
Progress ShareFile Has a Full Server Takeover Chain — 30,000 Instances Are Exposed

Two critical vulnerabilities in Progress ShareFile's on-premises Storage Zones Controller can be chained to take over internet-facing servers without a single valid credential. No authentication, no social engineering, no insider access. Just a public IP and time.

WatchTowr disclosed the bugs yesterday after private disclosure to Progress in February. Patch now. The window before active exploitation is narrowing.

What's Vulnerable

The affected component is the ShareFile Storage Zones Controller — the on-premises piece that lets enterprises store files in their own infrastructure while using ShareFile's cloud management layer. It's popular with organizations that have compliance mandates, data sovereignty requirements, or internal security policies that prohibit full-cloud storage.

That compliance-sensitive profile makes it a particularly attractive target. These aren't test servers. They hold regulated data.

WatchTowr estimates roughly 30,000 Storage Zone Controller instances are currently internet-facing.

The Two Bugs

CVE-2026-2699 — Authentication Bypass (CVSS 9.8)

The bypass lives in `Admin.aspx`, the controller's admin configuration page. The application issues an HTTP 302 redirect to the login page when an unauthenticated request comes in — standard behavior. The problem: the underlying page logic keeps executing after the redirect is issued.

This is an Execution After Redirect (EAR) condition. The redirect fires, but the server doesn't actually stop processing the request. An attacker who doesn't follow the redirect sees the full admin interface. From there, they can modify zone settings, storage paths, and passphrase-related configuration values — all without ever entering credentials.

CVE-2026-2701 — Remote Code Execution (CVSS 9.1)

Once inside the admin interface, the second bug turns configuration access into code execution. An attacker can upload a malicious archive that gets extracted into a server-controlled path. The result: a web shell deployed to the server. Game over.

Chained together, CVE-2026-2699 + CVE-2026-2701 go from zero access to full server control in a single attack sequence.

Who's at Risk

Customer-managed ShareFile Storage Zones Controller 5.x deployments — specifically anything below 5.12.4. The 6.x branch is not affected.

Progress is urging customers to upgrade to 5.12.4 immediately, or migrate to any 6.x release. Given the CVSS scores and the attack chain simplicity, treat this as a drop-everything patch.

Exposure checklist:

  • Are you running ShareFile Storage Zones Controller 5.x?
  • Is the admin interface accessible from the internet?
  • Are you below version 5.12.4?

If yes to any of those: stop reading and start patching.

Context on the Threat Profile

No active exploitation has been publicly reported — yet. But the timeline matters here. Public disclosure happened today. WatchTowr published technical details. The bug class (EAR on a configuration page) is well-understood by attackers. The exploit path is not complex.

Ransomware groups have historically prioritized file-sharing infrastructure for exactly this reason: the data sitting on these servers is often regulated, sensitive, and time-critical for the victim. That creates maximum leverage.

RunZero has both flaws listed as critical. The CVSS scores (9.8 and 9.1) aren't inflated — the combination of no-auth access plus code execution on a server handling enterprise file storage earns those ratings.

Progress patched these in 5.12.4. That's your target version.

What To Do Right Now

  1. Inventory your ShareFile deployments. If you're running customer-managed Storage Zones Controllers, confirm which version you're on.
  2. Upgrade to 5.12.4 or migrate to 6.x. Progress has the patch. There's no workaround that substitutes for upgrading.
  3. Audit internet exposure. If admin interfaces are reachable from the public internet, close that off regardless of patch status. Admin surfaces should never be public-facing.
  4. Check for indicators of compromise. Look at access logs on Admin.aspx for unauthenticated requests that didn't result in a redirect — or requests that received a 302 but also returned page content.
  5. Monitor for web shells. If you're not sure whether you were hit before patching, scan your ShareFile server directories for unexpected `.aspx` files or recently created files in storage paths.

The bugs were sitting in version 5.x before WatchTowr found them. The question now isn't whether attackers will try to exploit this — it's whether your systems are patched before they do.

*CVE-2026-2699 (CVSS 9.8) and CVE-2026-2701 (CVSS 9.1) were disclosed by WatchTowr and affect Progress ShareFile Storage Zones Controller 5.x. Fixed in 5.12.4 and all 6.x releases.*

Read more