Progress Software issued an emergency advisory on July 10 instructing every customer running an on-premises ShareFile Storage Zone Controller (SZC) to shut down the Windows server hosting it — immediately, and by hand. Two days later the company still hasn’t said what the threat is, whether it involves a zero-day, or whether any customer has actually been compromised. For a component that watchTowr researchers found sitting on roughly 30,000 internet-reachable hosts, that combination of urgency and silence is the story.
What’s happening
ShareFile is Progress’s managed file-transfer and sharing platform. Most customers run it as pure SaaS, but organizations that need files to stay on their own storage run a self-hosted component called the Storage Zones Controller — a Windows server that sits between ShareFile’s cloud control plane and the customer’s on-prem or cloud storage backend. It’s frequently deployed at the network edge and reachable from the internet, the same architectural pattern that made MOVEit and GoAnywhere MFT such attractive ransomware footholds.
Progress confirmed to reporters that it is responding to a “credible external security threat” targeting Storage Zone Controllers. The company’s advisory tells admins to do two things immediately: disable account access through the ShareFile cloud console, and manually power off the Windows servers hosting the SZC role. Progress was explicit that disabling cloud access alone is not sufficient — the servers themselves need to come down, which signals the exposure is in the on-prem component’s own listening surface, not just credential or API access mediated by the cloud side.
Only the Storage Zones Controller is implicated. Standard cloud-only ShareFile accounts, with no self-hosted storage zone, are not affected.
What Progress hasn’t said
As of this writing, Progress has not published a CVE, has not confirmed whether the threat is a zero-day, and has not said whether any customer environment has actually been breached. The company states it has “no indication of unauthorized access to any ShareFile accounts or data” but is acting “out of an abundance of caution” while working with internal and external security researchers. No patch is available. No threat actor has been named publicly, and no ransomware group has claimed responsibility for exploitation.
That’s an unusual posture: vendors that tell customers to physically shut down production servers, rather than apply a mitigation or wait for a patch window, are typically responding to evidence of active or imminent exploitation of an unpatched flaw — the same category of response Ivanti and Fortinet have used for pre-auth appliance RCEs in past incidents. The lack of a CVE this early suggests the internal investigation is still ongoing and Progress does not yet have full clarity on root cause, exploitability, or scope.
Why this matters even before the details land
SZC has form. In April 2026, watchTowr Labs disclosed a chainable pre-auth RCE in the same component — CVE-2026-2699 (auth bypass) and CVE-2026-2701 (webshell RCE) — with a public PoC and tens of thousands of exposed instances. Progress has not linked the current shutdown advisory to those CVEs, and there’s no public evidence they’re the same issue, but the pattern (unauthenticated network exposure, Windows-hosted admin surface, file-exfiltration potential via storage-zone reconfiguration) is exactly the profile that makes SZC a repeat target. MFT-adjacent infrastructure has been the preferred entry point for Cl0p and other extortion crews for several years running precisely because it sits at the edge, holds sensitive files by design, and is often deployed once and forgotten by IT teams who treat it as “the file transfer thing” rather than a security-critical appliance.
What to do now
- Locate every SZC instance. Inventory is the first failure point — SZC is often installed by a business unit outside central IT’s asset list. Check for the StorageCenter/StorageZonesController Windows service and any host answering on the SZC’s configured HTTPS port.
- Shut down internet-facing SZC hosts now, per Progress’s guidance, rather than waiting for a CVE or patch to confirm the risk is real. If the server must stay up for business continuity, pull it behind a VPN or restrict inbound access to known-good IPs at the firewall — full shutdown is still the vendor’s stated recommendation.
- Disable ShareFile cloud access for the affected storage zone accounts as an additional layer, per the advisory — but treat it as a supplement to the shutdown, not a substitute.
- Preserve logs before shutdown. IIS/W3C logs, Windows Security event logs, and SZC application logs on the host may be the only artifacts available if Progress later releases indicators of compromise. Snapshot or export them before powering down.
- Watch for outbound connections to unfamiliar storage endpoints. The April CVE chain demonstrated that a compromised SZC can be reconfigured to silently mirror file traffic to attacker-controlled S3 buckets — check storage-zone configuration for unauthorized changes if the server was reachable from the internet at any point in the last month.
- Subscribe to the official advisory at Progress’s ShareFile support portal and thehackernews.com/bleepingcomputer coverage for updates — this is a live, unfolding disclosure and details (CVE, patch, root cause) are expected as the investigation progresses.
We’ll follow up with a dedicated CVE writeup once Progress publishes technical detail. Until then, treat any internet-facing Storage Zones Controller as compromised-until-proven-otherwise and act on the shutdown guidance rather than waiting for confirmation.