Researchers at offensive security firm watchTowr have disclosed two vulnerabilities in Progress ShareFile's Storage Zones Controller (SZC) that, when chained, give an unauthenticated attacker remote code execution on affected servers. The pair — CVE-2026-2699 (authentication bypass) and CVE-2026-2701 (remote code execution) — affect customer-managed SZC deployments in ShareFile branch 5.x up to and including 5.12.3, and are fixed in version 5.12.4. With watchTowr counting roughly 30,000 internet-facing SZC instances, unpatched, on-premises deployments remain a high-value target for the ransomware crews that have repeatedly hunted managed file transfer (MFT) software.

Why ShareFile is a target

Progress ShareFile is an enterprise document-sharing and collaboration platform widely used by mid-sized and large organizations to move files internally and with external parties. The Storage Zones Controller is the component that lets customers keep their data on their own on-premises hardware, in a third-party cloud, or on Progress-managed infrastructure — a data-sovereignty feature that also makes the SZC an appealing entry point for attackers.

MFT platforms have a long history as ransomware and extortion targets because they aggregate large volumes of sensitive enterprise data. The Clop group in particular has built a track record of weaponizing flaws in this software class, including:

  • Accellion FTA
  • SolarWinds Serv-U
  • Gladinet CentreStack
  • GoAnywhere MFT
  • MOVEit Transfer
  • Cleo

That pattern is exactly why ShareFile operators should treat this disclosure as urgent.

The two vulnerabilities

CVE-2026-2699 — authentication bypass

CVE-2026-2699 is a critical authentication bypass in the SZC web management interface, rated CVSS v3.1 9.8 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It is classified as Improper Access Control (CWE-284) combined with an Execution After Redirect (EAR) condition: the interface mishandles HTTP redirects and applies insufficient access control, so an unauthenticated remote attacker can reach restricted administrative configuration pages. From there an attacker can read and alter security-critical settings such as file storage paths and the zone passphrase.

Only customer-managed (on-premises) Storage Zones Controller deployments are impacted. According to the 0xBlackash CVE-2026-2699 write-up, ShareFile 6.x and cloud-hosted instances are not affected, and the fix shipped in SZC 5.12.4 (released March 2026).

CVE-2026-2701 — remote code execution

CVE-2026-2701 enables code execution by abusing the application's file upload and archive-extraction functionality to drop a malicious ASPX webshell directly into the application's webroot, handing the attacker persistent, interactive control of the server.

On its own, CVE-2026-2701 is not trivial: it requires valid HMAC signatures and the ability to decrypt internal application secrets. watchTowr's research shows those prerequisites fall into place once CVE-2026-2699 is used first, because the authentication bypass lets an attacker read or set the passphrase-related values that the cryptographic checks depend on.

How the exploit chain works

watchTowr describes the end-to-end attack as a five-step sequence:

  1. Bypass authentication — exploit CVE-2026-2699 via the malformed HTTP redirect handling to reach the SZC admin interface without credentials.
  2. Harvest secrets — use that admin access to read or modify the zone passphrase and related internal secrets held in configuration.
  3. Forge integrity tokens — generate valid HMAC signatures from the extracted secrets to satisfy the application's integrity checks.
  4. Plant a webshell — exploit CVE-2026-2701 to upload and extract a crafted archive that places an ASPX webshell in the webroot.
  5. Execute commands — run arbitrary commands through the webshell, achieving full RCE without ever authenticating legitimately.

As watchTowr's team put it, the combination produces "a pre-authentication remote code execution primitive that requires no credentials whatsoever from the attacker."

Detecting vulnerable instances

watchTowr published a non-destructive Detection Artifact Generator for CVE-2026-2699. It sends a GET request to the /ConfigService/Admin.aspx endpoint and inspects the response to determine whether the instance is exposed. Importantly, the tool only checks for the authentication bypass — it does not perform the full zone takeover and does not chain into the RCE (CVE-2026-2701).

Run it against a target host like this:


$ python3 watchTowr-vs-Progress-ShareFile-CVE-2026-2699.py -H http://sharefile.lab.local
                         __         ___  ___________
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(  <_> \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|
                                  \/          \/     \/

        watchTowr-vs-Progress-ShareFile-CVE-2026-2699.py
        (*) CVE-2026-2699 Progress ShareFile Authentication Bypass - Detection Artifact Generator

          - Sonny and Piotr of watchTowr

        CVEs: CVE-2026-2699

[+] Detection Artifact Generator Started
[+] Sending GET to /ConfigService/Admin.aspx
[+] PROBABLY VULNERABLE

A PROBABLY VULNERABLE result indicates the admin endpoint is reachable in a way consistent with the bypass.

Exposure on the internet

The size of the exposed footprint is the core of the concern. watchTowr's own scanning identified roughly 30,000 Storage Zones Controller instances reachable from the public internet. ShadowServer telemetry is more conservative, currently tracking around 700 publicly exposed ShareFile instances, concentrated mostly in the United States and Europe. Whichever figure is closer to the truth, both represent a meaningful population of systems handling sensitive data that stays at risk until patched.

Disclosure timeline

  • February 6–13, 2026 — watchTowr reported the vulnerabilities to Progress.
  • February 18, 2026 — the full exploit chain was confirmed working.
  • March 10, 2026 — Progress released the fix in ShareFile version 5.12.4.

No in-the-wild exploitation has been observed as of writing. With the technical details now public, however, that window is expected to narrow quickly — actors who specialize in MFT platforms actively watch disclosures like this one.

Detection and mitigation

Organizations running Progress ShareFile Storage Zones Controller on branch 5.x should treat remediation as urgent:

  • Patch now — upgrade every SZC deployment to 5.12.4 or later.
  • Reduce exposure — restrict public internet access to SZC admin interfaces wherever operationally feasible.
  • Review logs — look for anomalous HTTP redirect behavior, unexpected access to the admin interface, and unusual file upload or archive-extraction activity. The /ConfigService/Admin.aspx endpoint is a useful focal point given the detection method above.
  • Hunt for webshells — scan the application webroot for unexpected .aspx files that could indicate prior compromise.
  • Rotate secrets — after patching, rotate zone passphrases and other sensitive configuration secrets as a precaution, since the bypass may have exposed them.

Bottom line

The ShareFile chain of CVE-2026-2699 and CVE-2026-2701 is a textbook pre-authentication RCE of the kind ransomware and extortion groups have repeatedly weaponized against MFT platforms. Responsible disclosure gave Progress time to ship 5.12.4 before exploit code went public, but with full technical detail now available the grace period for unpatched, internet-facing Storage Zones Controllers is effectively over. Prioritize those deployments first.