Skip to main content
SecurityXP

Progress Urges ShareFile Admins to Shut Down Servers Over Credible Security Threat Cybersecurity

· 3 min read · SecurityXP

Key Facts

  • In April 2026, watchTowr Labs disclosed two chainable vulnerabilities in Storage Zone Controller: CVE-2026-2699, an authentication bypass with a CVSS score of 9.8, and CVE-2026-2701, a remote code execution flaw scoring 9.1.
  • In 2023, while the product still belonged to Citrix, attackers exploited an unauthenticated flaw in the same Storage Zones Controller (CVE-2023-24489).
  • Progress, which acquired ShareFile in 2024, had already weathered a mass file-transfer attack of its own: MOVEit, whose 2023 zero-day was exploited by the Clop group and hit more than 2,700 organizations.
  • Progress patched the flaws in version 5.12.4, and the newer 6.x branch, built on .NET Core, was confirmed unaffected.
  • The Storage Zones Controller also had two critical flaws that watchTowr disclosed in April and Progress patched in March, though the company has not connected the current threat to them, and neither has been reported as exploited.
  • Given the platform’s history of critical pre-authentication RCE flaws, security teams should treat this new warning seriously even without technical details, isolating internet-facing Storage Zone Controller instances and monitoring for further guidance from Progress.
  • The company has not publicly detailed the nature of the threat, leaving open the possibility that it relates to a new zero-day or renewed exploitation attempts against the Storage Zone Controller architecture.
  • - Separately, confirm your version is current: 5.12.4 or later on the 5.x line, or a 6.x release.
  • The email tells administrators that Progress has already disabled account access through Storage Zone Controllers for all affected customers, and separately demands manual shutdown of the underlying servers as a “critical additional step” to protect data.
  • Progress Alert Progress says it expects to share updates within 24 hours and has framed the move as an abundance-of-caution measure rather than confirmation of an active breach.

In April 2026, watchTowr Labs disclosed two chainable vulnerabilities in Storage Zone Controller: CVE-2026-2699, an authentication bypass with a CVSS score of 9.8, and CVE-2026-2701, a remote code execution flaw scoring 9.1. The issue is tracked as CVE-2026-2699, CVE-2026-2701, CVE-2023-24489. In 2023, while the product still belonged to Citrix, attackers exploited an unauthenticated flaw in the same Storage Zones Controller (CVE-2023-24489).

TL;DR

  • Progress, which acquired ShareFile in 2024, had already weathered a mass file-transfer attack of its own: MOVEit, whose 2023 zero-day was exploited by the Clop group and hit more than 2,700 organizations.
  • Progress patched the flaws in version 5.12.4, and the newer 6.x branch, built on .NET Core, was confirmed unaffected.
  • The Storage Zones Controller also had two critical flaws that watchTowr disclosed in April and Progress patched in March, though the company has not connected the current threat to them, and neither has been reported as exploited.

Context of the Unknown Incident

Given the platform’s history of critical pre-authentication RCE flaws, security teams should treat this new warning seriously even without technical details, isolating internet-facing Storage Zone Controller instances and monitoring for further guidance from Progress.

Further details indicate that the company has not publicly detailed the nature of the threat, leaving open the possibility that it relates to a new zero-day or renewed exploitation attempts against the Storage Zone Controller architecture.

  • Separately, confirm your version is current: 5.12.4 or later on the 5.x line, or a 6.x release.

The email tells administrators that Progress has already disabled account access through Storage Zone Controllers for all affected customers, and separately demands manual shutdown of the underlying servers as a “critical additional step” to protect data.

“credible external security threat.”, Spokesperson

Technical Details

CVEs:

Technical specifics on the underlying mechanism remain under review by security researchers.

Impact

Progress Software has issued an urgent advisory instructing customers running on-premises ShareFile Storage Zone Controllers to immediately power down the servers hosting these components, citing a “credible external security threat” against the platform. The email tells administrators that Progress has already disabled account access through Storage Zone Controllers for all affected customers, and separately demands manual shutdown of the underlying servers as a “critical additional step” to protect data. Progress patched the flaws in version 5.12.4, and the newer 6.x branch, built on .NET Core, was confirmed unaffected.

Timeline

| Date | Event | |, , |, , -| | 2026 | In April 2026, watchTowr Labs disclosed two chainable vulnerabilities in Storage Zone Controller: CVE-2026-2699, an a… | | 2023 | In 2023, while the product still belonged to Citrix, attackers exploited an unauthenticated flaw in the same Storage … | | 2024 | Progress, which acquired ShareFile in 2024, had already weathered a mass file-transfer attack of its own: MOVEit, who… |

What To Do Now

  1. Progress Alert Progress says it expects to share updates within 24 hours and has framed the move as an abundance-of-caution measure rather than confirmation of an active breach.

  2. Chained together, the bugs allowed unauthenticated attackers to reach restricted configuration pages and upload malicious ASPX webshells to achieve full remote code execution without credentials.

  3. Progress patched the flaws in version 5.12.4, and the newer 6.x branch, built on .NET Core, was confirmed unaffected.

  4. Ordering customers to take it fully offline, rather than just patch it, is a notable step.

  5. If a fix for this threat existed, Progress would be telling customers to apply it; the shutdown order suggests there is none yet.

  6. That usually means a newly found flaw the company is racing to close, though the same step would also fit a threat a patch cannot address, such as stolen keys or a problem on Progress’s own side.

Analysis

This disclosure adds to a growing pattern of critical vulnerabilities affecting enterprise infrastructure.

Sources

  1. https://nvd.nist.gov/vuln/detail/CVE-2026-2699
  2. https://nvd.nist.gov/vuln/detail/CVE-2026-2701
  3. https://nvd.nist.gov/vuln/detail/CVE-2023-24489

Sources & References

S SecurityXP
SecurityXP Cybersecurity News & Analysis

SecurityXP delivers daily cybersecurity news, vulnerability analysis, data breach reports, and threat intelligence.

Security Digest

Get the latest cybersecurity news, vulnerability alerts, and threat intelligence delivered to your inbox.

Related Articles