Progress Orders ShareFile Storage Zone Shutdown Over Security Threat
Progress Software tells ShareFile customers to immediately shut down Storage Zone Controllers due to a credible security threat. The company disabled affected accounts while investigating.
Progress Software ordered ShareFile Storage Zone Controller customers to immediately shut down their Windows servers on July 10, citing a "credible external security threat." The company took the unusual step of temporarily disabling affected customer accounts as a precautionary measure while investigating.
The incident became public after a customer posted Progress's notification email to Reddit's r/sysadmin community. By early afternoon, Progress had updated its status page to confirm "Storage Zone Controller customers are not operational" with the incident listed as under investigation.
Emergency Shutdown Requirements
Storage Zone Controllers are edge servers that organizations deploy to handle file transfers locally rather than routing everything through ShareFile's cloud infrastructure. These controllers remain internet-accessible by design, making them attractive targets for attackers.
Progress issued specific guidance for affected customers:
- Follow the shutdown order immediately and keep controllers offline
- Confirm your version is current (5.12.4 or later on the 5.x line, or any 6.x release)
- Do not restart servers without explicit Progress authorization
- If internet-accessible, treat the server as a potential incident site and preserve all logs
- Check for unfamiliar .aspx files in web folders and storage paths
The requirement to keep systems completely offline, rather than simply applying a patch, suggests either an unpatched zero-day vulnerability or a threat requiring total isolation rather than remediation.
History of ShareFile Security Issues
This isn't the first time Progress has faced critical security concerns with ShareFile infrastructure. CVE-2023-24489 was an unauthenticated flaw in Storage Zone Controller actively exploited in 2023. Two additional critical vulnerabilities were disclosed in April 2026 and patched in March, though Progress has not connected these to the current threat.
Progress Software also dealt with significant security incidents in its MOVEit Transfer product in 2023, when the Cl0p ransomware operation exploited zero-day vulnerabilities to breach hundreds of organizations worldwide.
Standard Cloud ShareFile Users Unaffected
Organizations using ShareFile's standard cloud-only deployment are not affected by this shutdown order. The security threat applies specifically to customers who deployed Storage Zone Controllers to maintain local control over file storage.
For enterprises that rely on these controllers for compliance or performance reasons, the forced outage creates operational challenges. Progress has not provided a timeline for when customers can safely restore service.
What This Means for File Sharing Security
The ShareFile incident highlights ongoing risks with on-premises components of hybrid cloud services. Edge servers that maintain internet connectivity for legitimate business purposes also expand the attack surface compared to pure cloud deployments.
Organizations using any self-hosted file transfer infrastructure should verify their patch levels and review access logs for suspicious activity. For broader guidance on securing enterprise systems, see our online safety tips covering network security fundamentals.
We'll update this article as Progress releases additional information about the nature of the threat and remediation timeline.
Related Articles
Progress ShareFile Flaws Chain to Pre-Auth RCE on 30,000 Servers
CVE-2026-2699 and CVE-2026-2701 combine to let unauthenticated attackers take over ShareFile Storage Zone Controllers. Patches available since March 10.
Apr 6, 2026Zimbra Patches Critical XSS That Runs Code When Opening Emails
Zimbra urges immediate patching for a stored XSS flaw in Classic Web Client that executes malicious code when users open crafted emails. Google TAG reported the vulnerability.
Jul 12, 2026Kemp LoadMaster Pre-Auth RCE Exploited Days After PoC Release
CVE-2026-8037 lets unauthenticated attackers execute root-level commands on Progress Kemp LoadMaster appliances. Exploitation attempts started June 29, same day as PoC publication.
Jul 3, 2026Cisco SD-WAN Zero-Day Exploited Since May—CVSS 10.0
CVE-2026-20182 allows unauthenticated attackers to inject rogue peers into Cisco SD-WAN fabrics. Active exploitation since May; no workaround available—patch immediately.
Jul 1, 2026