Progress Urges ShareFile Admins to Shut Down Servers Over Credible Security Threat Cybersecurity
Key Facts
- In April 2026, watchTowr Labs disclosed two chainable vulnerabilities in Storage Zone Controller: CVE-2026-2699, an authentication bypass with a CVSS score of 9.8, and CVE-2026-2701, a remote code execution flaw scoring 9.1.
- In 2023, while the product still belonged to Citrix, attackers exploited an unauthenticated flaw in the same Storage Zones Controller (CVE-2023-24489).
- Progress, which acquired ShareFile in 2024, had already weathered a mass file-transfer attack of its own: MOVEit, whose 2023 zero-day was exploited by the Clop group and hit more than 2,700 organizations.
- Progress patched the flaws in version 5.12.4, and the newer 6.x branch, built on .NET Core, was confirmed unaffected.
- The Storage Zones Controller also had two critical flaws that watchTowr disclosed in April and Progress patched in March, though the company has not connected the current threat to them, and neither has been reported as exploited.
- Given the platform’s history of critical pre-authentication RCE flaws, security teams should treat this new warning seriously even without technical details, isolating internet-facing Storage Zone Controller instances and monitoring for further guidance from Progress.
- The company has not publicly detailed the nature of the threat, leaving open the possibility that it relates to a new zero-day or renewed exploitation attempts against the Storage Zone Controller architecture.
- - Separately, confirm your version is current: 5.12.4 or later on the 5.x line, or a 6.x release.
- The email tells administrators that Progress has already disabled account access through Storage Zone Controllers for all affected customers, and separately demands manual shutdown of the underlying servers as a “critical additional step” to protect data.
- Progress Alert Progress says it expects to share updates within 24 hours and has framed the move as an abundance-of-caution measure rather than confirmation of an active breach.
In April 2026, watchTowr Labs disclosed two chainable vulnerabilities in Storage Zone Controller: CVE-2026-2699, an authentication bypass with a CVSS score of 9.8, and CVE-2026-2701, a remote code execution flaw scoring 9.1. The issue is tracked as CVE-2026-2699, CVE-2026-2701, CVE-2023-24489. In 2023, while the product still belonged to Citrix, attackers exploited an unauthenticated flaw in the same Storage Zones Controller (CVE-2023-24489).
TL;DR
- Progress, which acquired ShareFile in 2024, had already weathered a mass file-transfer attack of its own: MOVEit, whose 2023 zero-day was exploited by the Clop group and hit more than 2,700 organizations.
- Progress patched the flaws in version 5.12.4, and the newer 6.x branch, built on .NET Core, was confirmed unaffected.
- The Storage Zones Controller also had two critical flaws that watchTowr disclosed in April and Progress patched in March, though the company has not connected the current threat to them, and neither has been reported as exploited.
Context of the Unknown Incident
Given the platform’s history of critical pre-authentication RCE flaws, security teams should treat this new warning seriously even without technical details, isolating internet-facing Storage Zone Controller instances and monitoring for further guidance from Progress.
Further details indicate that the company has not publicly detailed the nature of the threat, leaving open the possibility that it relates to a new zero-day or renewed exploitation attempts against the Storage Zone Controller architecture.
- Separately, confirm your version is current: 5.12.4 or later on the 5.x line, or a 6.x release.
The email tells administrators that Progress has already disabled account access through Storage Zone Controllers for all affected customers, and separately demands manual shutdown of the underlying servers as a “critical additional step” to protect data.
“credible external security threat.”, Spokesperson
Technical Details
CVEs:
Technical specifics on the underlying mechanism remain under review by security researchers.
Impact
Progress Software has issued an urgent advisory instructing customers running on-premises ShareFile Storage Zone Controllers to immediately power down the servers hosting these components, citing a “credible external security threat” against the platform. The email tells administrators that Progress has already disabled account access through Storage Zone Controllers for all affected customers, and separately demands manual shutdown of the underlying servers as a “critical additional step” to protect data. Progress patched the flaws in version 5.12.4, and the newer 6.x branch, built on .NET Core, was confirmed unaffected.
Timeline
| Date | Event | |, , |, , -| | 2026 | In April 2026, watchTowr Labs disclosed two chainable vulnerabilities in Storage Zone Controller: CVE-2026-2699, an a… | | 2023 | In 2023, while the product still belonged to Citrix, attackers exploited an unauthenticated flaw in the same Storage … | | 2024 | Progress, which acquired ShareFile in 2024, had already weathered a mass file-transfer attack of its own: MOVEit, who… |
What To Do Now
-
Progress Alert Progress says it expects to share updates within 24 hours and has framed the move as an abundance-of-caution measure rather than confirmation of an active breach.
-
Chained together, the bugs allowed unauthenticated attackers to reach restricted configuration pages and upload malicious ASPX webshells to achieve full remote code execution without credentials.
-
Progress patched the flaws in version 5.12.4, and the newer 6.x branch, built on .NET Core, was confirmed unaffected.
-
Ordering customers to take it fully offline, rather than just patch it, is a notable step.
-
If a fix for this threat existed, Progress would be telling customers to apply it; the shutdown order suggests there is none yet.
-
That usually means a newly found flaw the company is racing to close, though the same step would also fit a threat a patch cannot address, such as stolen keys or a problem on Progress’s own side.
Analysis
This disclosure adds to a growing pattern of critical vulnerabilities affecting enterprise infrastructure.
Sources
Sources & References
- CVE-2026-2699 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-2699
- CVE-2026-2701 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2026-2701
- CVE-2023-24489 — NIST National Vulnerability Database entry. https://nvd.nist.gov/vuln/detail/CVE-2023-24489
- CVE-2026-2699 — National Vulnerability Database
- CVE-2026-2701 — National Vulnerability Database
- CVE-2023-24489 — National Vulnerability Database
SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.
Security Digest
Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.
Related Articles
WP-SHELLSTORM Exposed: Hackers Backdoored Thousands of WordPress Websites Cybersecurity
Treat the Joomla JCE flaw (CVE-2026-48907, fixed in 2.9.99.5) as urgent too, since it is a maximum-severity and on CISA's actively-exploited list, even...
TechnologyOusaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures Malware
This malware employs sophisticated techniques to evade detection and steal banking credentials, The Hacker News reports.The Ousaban campaign begins with a phishing PDF disguised as a corrupted file, p...
TechnologySecure Amazon container workloads using container attribute-based rules in AWS Network Firewall
If you run AI and machine learning (ML) workloads on Amazon EKS, such as model inference, RAG pipelines, or JupyterHub, your containerized workloads require the same firewall protections you enforce f...
TechnologyICANN Sets October 2026 DNS Trust Anchor Rollover
The Domain Name System, or DNS, is getting a major update to its security protocol. This update, scheduled for October 2026, affects the DNS Security Extensions root zone Key Signing Key, a crucial co...