Progress ShareFile Flaws Chain to Pre-Auth RCE on 30,000 Servers
CVE-2026-2699 and CVE-2026-2701 combine to let unauthenticated attackers take over ShareFile Storage Zone Controllers. Patches available since March 10.
Two vulnerabilities in Progress ShareFile Storage Zones Controller can be chained together to achieve pre-authentication remote code execution on customer-managed deployments. WatchTowr Labs disclosed the technical details on April 2 after Progress quietly patched the flaws in version 5.12.4 on March 10.
Shodan queries identify roughly 30,000 ShareFile Storage Zone Controller instances exposed to the internet. Organizations running version 5.x prior to 5.12.4 should treat this as an emergency patch.
The Exploit Chain
CVE-2026-2699 carries a CVSS score of 9.8 and provides the initial authentication bypass. The flaw exists in how the Storage Zones Controller handles HTTP redirects—attackers can manipulate redirect responses to access restricted administrative functionality without credentials.
Once inside the admin interface, attackers can modify Storage Zone configuration settings. This includes security-sensitive parameters like the zone passphrase and related cryptographic secrets.
CVE-2026-2701 scores 9.1 CVSS and delivers the code execution. With the extracted secrets from the first vulnerability, attackers can generate valid HMAC signatures to upload arbitrary files. The file upload functionality can be abused to place malicious ASPX webshells directly in the application's webroot.
According to watchTowr's technical writeup, the full attack chain works like this:
- Exploit CVE-2026-2699 to bypass authentication and reach admin controls
- Extract the zone passphrase and cryptographic secrets from configuration
- Generate valid upload signatures using the stolen secrets
- Upload a webshell to the webroot via CVE-2026-2701
- Execute arbitrary commands on the underlying Windows server
What Gets Compromised
ShareFile Storage Zones Controller manages the actual file storage for ShareFile deployments—the data at rest. A compromised controller gives attackers access to every file stored in that zone, including documents shared through ShareFile's enterprise collaboration features.
Organizations often deploy ShareFile for sensitive document exchange: legal contracts, financial records, healthcare data, and HR documents. The Storage Zones Controller architecture means this data sits on customer-managed infrastructure rather than in Progress's cloud—which is why these on-prem deployments exist in the first place.
Beyond file exfiltration, the webshell provides persistent access to a server sitting inside the corporate network. ShareFile deployments typically have network access to other internal systems, making them valuable pivot points.
Progress's Silent Patch
Progress released version 5.12.4 on March 10 with minimal fanfare. The release notes mention "security improvements" without detailing the severity. WatchTowr's disclosure three weeks later provided the technical context organizations need to prioritize the update.
This approach has precedent. The FortiClient EMS vulnerability followed a similar pattern where vendors downplayed severity until researchers published exploitation details. The pattern creates a window where attackers with access to the patch diff can develop exploits before defenders understand the urgency.
ShadowServer Foundation reports approximately 700 internet-accessible ShareFile instances remain unpatched as of this writing. Most are located in the United States and Europe.
Detection and Response
Organizations should check their ShareFile Storage Zones Controller version immediately. The vulnerable component is specifically the customer-managed Storage Zones Controller in the 5.x branch—ShareFile's SaaS offering and other components are not affected.
If you cannot patch immediately, restrict network access to the Storage Zone Controller. The exploit requires direct HTTP connectivity to the controller's management interface. Placing the system behind a VPN or firewall with strict access controls reduces exposure while you schedule the maintenance window.
Review web server logs for unusual POST requests to configuration endpoints and file upload paths. The exploit chain leaves artifacts in IIS logs that can indicate exploitation attempts.
Why Progress Products Keep Appearing Here
Progress Software's portfolio has become a favorite target. The MOVEit Transfer mass exploitation in 2023 exposed over 2,600 organizations. The Telerik UI vulnerabilities have been chained in attacks against government agencies. These ShareFile flaws continue the pattern of critical vulnerabilities in enterprise file transfer products that handle sensitive data and sit at network boundaries.
Organizations running any Progress products should audit their deployments and ensure security advisories reach the teams managing these systems. The 23-day gap between patch availability and public disclosure represents a window where only the most diligent organizations applied the fix.
For more vulnerability news, follow our hacking news coverage.
Related Articles
Kemp LoadMaster Pre-Auth RCE Exploited Days After PoC Release
CVE-2026-8037 lets unauthenticated attackers execute root-level commands on Progress Kemp LoadMaster appliances. Exploitation attempts started June 29, same day as PoC publication.
Jul 3, 2026libssh2 Pre-Auth RCE (CVE-2026-55200) PoC Now Public
A critical memory corruption flaw in libssh2 lets malicious SSH servers execute code on connecting clients—no credentials needed. PoC dropped June 29.
Jun 30, 2026Splunk Enterprise RCE Flaw Under Active Attack — PoC Public
CVE-2026-20253 in Splunk Enterprise lets unauthenticated attackers execute code via an unprotected PostgreSQL sidecar. Over 1,400 instances exposed. Patch or disable the service now.
Jun 26, 2026PixelSmash FFmpeg Bug Turns Media Files Into RCE Weapons
CVE-2026-8461 is a heap overflow in FFmpeg's MagicYUV decoder that enables remote code execution via malicious video files. Jellyfin, Kodi, and Nextcloud affected.
Jun 23, 2026