Overview: Chained Vulnerabilities Threaten Enterprise File Transfer

Two newly disclosed vulnerabilities in Progress ShareFile, a widely deployed enterprise secure file transfer and document collaboration platform, can be chained together to enable unauthenticated remote code execution (RCE) on affected servers. Discovered by researchers at offensive security firm watchTowr, the flaws affect the Storage Zones Controller (SZC) component in ShareFile branch 5.x. Progress has released a patch in version 5.12.4, but with approximately 30,000 SZC instances publicly exposed on the internet, the risk of exploitation remains significant for unpatched environments.

What Is Progress ShareFile and Why Is It a Target?

Progress ShareFile is an enterprise-grade document sharing and collaboration solution commonly used by mid-sized and large organizations to securely transfer files both internally and externally. The Storage Zones Controller component is a particularly attractive feature — it lets customers store data on their own on-premises infrastructure, in a third-party cloud, or on Progress-managed systems, giving organizations greater control over sensitive data sovereignty.

This type of managed file transfer (MFT) software has historically been a high-value target for ransomware and data extortion actors. The Clop ransomware group, for example, has previously exploited vulnerabilities in:

  • Accellion FTA
  • SolarWinds Serv-U
  • Gladinet CentreStack
  • GoAnywhere MFT
  • MOVEit Transfer
  • Cleo

The pattern is clear: file transfer platforms that handle large volumes of sensitive enterprise data represent lucrative targets, making rapid patching of Progress ShareFile a critical priority.

The Two CVEs: Authentication Bypass and Remote Code Execution

CVE-2026-2699: Authentication Bypass

The first vulnerability, CVE-2026-2699, is an authentication bypass affecting the ShareFile admin interface. The flaw stems from improper handling of HTTP redirects, which allows an unauthenticated attacker to gain unauthorized access to the administrative panel of the Storage Zones Controller. Once inside, the attacker can read and modify sensitive configuration settings, including file storage paths, the zone passphrase, and other security-critical parameters.

CVE-2026-2701: Remote Code Execution via File Upload Abuse

The second vulnerability, CVE-2026-2701, enables remote code execution on the server. Attackers exploit file upload and extraction functionality within the application to plant malicious ASPX webshells directly in the application's webroot directory. With a webshell in place, an attacker gains persistent, interactive control over the compromised server.

While exploiting CVE-2026-2701 requires generating valid HMAC signatures and decrypting internal application secrets, watchTowr's research confirms this becomes achievable after leveraging CVE-2026-2699 — because the authentication bypass allows an attacker to set or read passphrase-related values that underpin those cryptographic operations.

How the Exploit Chain Works Step by Step

The full attack chain, as described by watchTowr, proceeds as follows:

  • Step 1: Exploit CVE-2026-2699 to bypass authentication and gain access to the ShareFile admin interface via malformed HTTP redirect handling.
  • Step 2: Use admin access to read or modify the zone passphrase and related internal secrets stored in configuration settings.
  • Step 3: Generate valid HMAC signatures using the extracted secrets to satisfy the application's integrity checks.
  • Step 4: Exploit CVE-2026-2701 to upload and extract a malicious archive, placing an ASPX webshell in the application's webroot.
  • Step 5: Execute arbitrary commands on the server via the webshell, achieving full remote code execution without ever authenticating legitimately.

"The combination of these two flaws creates a pre-authentication remote code execution primitive that requires no credentials whatsoever from the attacker." — watchTowr Research Team

Exposure and Internet Attack Surface

The scale of exposure is a serious concern. watchTowr's own internet scans identified approximately 30,000 Storage Zone Controller instances accessible from the public internet. The ShadowServer Foundation's telemetry paints a more conservative picture, currently tracking around 700 publicly exposed Progress ShareFile instances, with the majority concentrated in the United States and Europe.

Regardless of which figure more accurately reflects the true attack surface, both numbers represent a substantial footprint of enterprise systems that process sensitive organizational data — and that remain at risk until patched.

Disclosure Timeline and Patch Availability

watchTowr followed responsible disclosure procedures, reporting the vulnerabilities to Progress between February 6 and February 13, 2026. The full exploit chain was confirmed valid on February 18, 2026. Progress responded by releasing security fixes in ShareFile version 5.12.4, published on March 10, 2026.

As of the time of writing, no active exploitation in the wild has been observed. However, with the technical details of the exploit chain now publicly disclosed, that window is likely to close quickly. Threat actors — especially those specializing in MFT platform exploitation — actively monitor public vulnerability disclosures for exactly this type of opportunity.

Recommended Actions for Security Teams

Organizations running Progress ShareFile Storage Zones Controller on branch 5.x should treat this as an urgent remediation task. Recommended steps include:

  • Patch immediately: Upgrade all ShareFile Storage Zones Controller deployments to version 5.12.4 or later.
  • Audit internet exposure: Identify and restrict public internet access to SZC admin interfaces where operationally feasible.
  • Review server logs: Inspect web server and application logs for anomalous HTTP redirect patterns, unexpected admin interface access, or unusual file uploads and archive extraction activity.
  • Hunt for webshells: Scan the application webroot for unexpected .aspx files that may indicate prior compromise.
  • Rotate secrets: After patching, consider rotating zone passphrases and other sensitive configuration secrets as a precaution.

Conclusion: Patch Before Threat Actors Weaponize This Chain

The Progress ShareFile vulnerability chain — CVE-2026-2699 and CVE-2026-2701 — represents a textbook pre-authentication RCE scenario that ransomware operators and data extortion groups have consistently exploited in similar MFT platforms. The responsible disclosure process worked as intended, giving Progress time to ship a patch before weaponized exploit code became public. But with full technical details now available, the grace period for unpatched organizations is effectively over.

Security teams should escalate this to immediate remediation status, prioritizing any internet-facing ShareFile Storage Zones Controller deployments. The history of Clop and similar groups targeting MFT software makes the threat calculus straightforward: patch now, or risk becoming the next headline.