Progress ShareFile Flaws Chain to Pre-Auth RCE on 30,000 Servers

Two vulnerabilities in Progress ShareFile Storage Zones Controller can be chained together to achieve pre-authentication remote code execution on customer-managed deployments. WatchTowr Labs disclosed the technical details on April 2 after Progress quietly patched the flaws in version 5.12.4 on March 10.

Shodan queries identify roughly 30,000 ShareFile Storage Zone Controller instances exposed to the internet. Organizations running version 5.x prior to 5.12.4 should treat this as an emergency patch.

The Exploit Chain

CVE-2026-2699 carries a CVSS score of 9.8 and provides the initial authentication bypass. The flaw exists in how the Storage Zones Controller handles HTTP redirects—attackers can manipulate redirect responses to access restricted administrative functionality without credentials.

Once inside the admin interface, attackers can modify Storage Zone configuration settings. This includes security-sensitive parameters like the zone passphrase and related cryptographic secrets.

CVE-2026-2701 scores 9.1 CVSS and delivers the code execution. With the extracted secrets from the first vulnerability, attackers can generate valid HMAC signatures to upload arbitrary files. The file upload functionality can be abused to place malicious ASPX webshells directly in the application's webroot.

According to watchTowr's technical writeup, the full attack chain works like this:

1. Exploit CVE-2026-2699 to bypass authentication and reach admin controls
2. Extract the zone passphrase and cryptographic secrets from configuration
3. Generate valid upload signatures using the stolen secrets
4. Upload a webshell to the webroot via CVE-2026-2701
5. Execute arbitrary commands on the underlying Windows server

What Gets Compromised

ShareFile Storage Zones Controller manages the actual file storage for ShareFile deployments—the data at rest. A compromised controller gives attackers access to every file stored in that zone, including documents shared through ShareFile's enterprise collaboration features.

Organizations often deploy ShareFile for sensitive document exchange: legal contracts, financial records, healthcare data, and HR documents. The Storage Zones Controller architecture means this data sits on customer-managed infrastructure rather than in Progress's cloud—which is why these on-prem deployments exist in the first place.

Beyond file exfiltration, the webshell provides persistent access to a server sitting inside the corporate network. ShareFile deployments typically have network access to other internal systems, making them valuable pivot points.

Progress's Silent Patch

Progress released version 5.12.4 on March 10 with minimal fanfare. The release notes mention "security improvements" without detailing the severity. WatchTowr's disclosure three weeks later provided the technical context organizations need to prioritize the update.

This approach has precedent. The FortiClient EMS vulnerability followed a similar pattern where vendors downplayed severity until researchers published exploitation details. The pattern creates a window where attackers with access to the patch diff can develop exploits before defenders understand the urgency.

ShadowServer Foundation reports approximately 700 internet-accessible ShareFile instances remain unpatched as of this writing. Most are located in the United States and Europe.

Detection and Response

Organizations should check their ShareFile Storage Zones Controller version immediately. The vulnerable component is specifically the customer-managed Storage Zones Controller in the 5.x branch—ShareFile's SaaS offering and other components are not affected.

If you cannot patch immediately, restrict network access to the Storage Zone Controller. The exploit requires direct HTTP connectivity to the controller's management interface. Placing the system behind a VPN or firewall with strict access controls reduces exposure while you schedule the maintenance window.

Review web server logs for unusual POST requests to configuration endpoints and file upload paths. The exploit chain leaves artifacts in IIS logs that can indicate exploitation attempts.

Why Progress Products Keep Appearing Here

Progress Software's portfolio has become a favorite target. The MOVEit Transfer mass exploitation in 2023 exposed over 2,600 organizations. The Telerik UI vulnerabilities have been chained in attacks against government agencies. These ShareFile flaws continue the pattern of critical vulnerabilities in enterprise file transfer products that handle sensitive data and sit at network boundaries.

Organizations running any Progress products should audit their deployments and ensure security advisories reach the teams managing these systems. The 23-day gap between patch availability and public disclosure represents a window where only the most diligent organizations applied the fix.

For more vulnerability news, follow our hacking news coverage.