Two critical vulnerabilities in Progress ShareFile’s Storage Zones Controller (SZC) can be chained together to achieve pre-authentication remote code execution, giving attackers complete control over enterprise file-sharing infrastructure with zero credentials required. With proof-of-concept code published on April 2 and roughly 30,000 SZC instances exposed on the public internet, this is a patch-now situation.

The Vulnerabilities

Researchers at watchTowr discovered the pair of flaws in the SZC component present in ShareFile branch 5.x:

CVE-2026-2699 — Authentication Bypass (CVSS 9.8)

The first link in the chain is an authentication bypass caused by improper handling of HTTP redirects in the SZC admin interface. By manipulating redirect behavior, an unauthenticated attacker can gain access to the ShareFile administrative console without any credentials. From there, the attacker has full control over storage configuration and file management.

CVE-2026-2701 — Remote Code Execution (CVSS 9.1)

Once past authentication, an attacker abuses file upload and extraction functionality to place malicious ASPX webshells directly into the application’s webroot. This gives persistent, arbitrary code execution on the underlying server.

Chained together, these vulnerabilities go from zero access to full server compromise in a single attack flow — no authentication, no user interaction, no social engineering.

The File Exfiltration Angle

Beyond RCE, there’s a particularly insidious data theft vector. An attacker who chains these flaws can modify the victim’s Storage Repository configuration to point at an attacker-controlled AWS S3 bucket. From that point forward, every file synced or uploaded by legitimate users is silently redirected to the attacker’s infrastructure. This turns ShareFile from a secure file-sharing platform into a passive exfiltration pipeline — and the users uploading files have no idea anything has changed.

Who’s Affected

Progress ShareFile Storage Zones Controller branch 5.x versions prior to 5.12.4 are vulnerable. The SZC component is the on-premises piece of ShareFile that handles file storage and transfer operations. It’s widely deployed in enterprises that need on-prem storage zones for compliance or data residency requirements.

watchTowr’s internet-wide scans found approximately 30,000 SZC instances directly exposed on the public internet. Given that ShareFile is commonly used for handling sensitive documents — legal filings, financial records, healthcare data, M&A documents — the potential blast radius of exploitation is severe.

Timeline

  • February 6–13, 2026: watchTowr discovers and reports both vulnerabilities to Progress.
  • March 10, 2026: Progress releases ShareFile SZC version 5.12.4 with fixes.
  • April 2, 2026: watchTowr publishes full technical analysis and proof-of-concept exploit code.

The three-week gap between patch release and POC publication gave organizations a window to patch. That window is now closed.

Why This Matters

Progress Software has been a recurring target since the MOVEit mass exploitation in 2023. Secure file transfer appliances sit at a critical junction in enterprise infrastructure — they handle some of the most sensitive data in an organization, they’re often internet-facing, and they typically run with elevated privileges. The pattern keeps repeating: Accellion FTA, GoAnywhere MFT, MOVEit Transfer, and now ShareFile.

If you run Progress ShareFile with on-premises Storage Zones Controllers, this chain gives an unauthenticated attacker everything they need: admin access, code execution, persistent backdoors, and silent data exfiltration.

What To Do Right Now

  1. Patch immediately. Upgrade all ShareFile Storage Zones Controller instances to version 5.12.4 or later. This is the only complete fix.

  2. Check for compromise. Review SZC instances for unexpected ASPX files in web-accessible directories. Look for modifications to Storage Repository configurations — particularly any pointing to unfamiliar S3 buckets or external storage endpoints.

  3. Audit access logs. Look for unauthenticated access to admin endpoints and unusual redirect patterns in HTTP logs on your SZC instances.

  4. Restrict network exposure. If you haven’t already, place SZC instances behind a VPN or zero-trust access layer. There is no reason for the admin interface to be directly internet-facing.

  5. Monitor for exploitation. With public POC code available, mass scanning and exploitation is expected imminently if not already underway.

References