Researchers at watchTowr have disclosed a pre-authenticated remote code execution chain in Progress ShareFile's on-premises Storage Zone Controller, built from two newly assigned flaws: an authentication bypass tracked as CVE-2026-2699 (CVSS 9.8) and a remote code execution bug tracked as CVE-2026-2701. Both affect the 5.x branch of the Storage Zone Controller — including StorageCenter_5.12.3, the latest release at the time of the research — and were fixed in StorageCenter_5.12.4 on March 10, 2026. With roughly 30,000 Storage Zone Controller instances exposed to the public internet, the unpatched attack surface is substantial.
Another file-transfer platform under fire
If CISA's Known Exploited Vulnerabilities catalog has made one thing clear, it's that managed file-transfer products are a perennial target for ransomware crews, data-extortion groups, and nation-state operators. The 2023 MOVEit breach, the 2024 exploitation of Cleo Harmony, and Fortra's GoAnywhere flaws in 2025 all follow the same script. Progress ShareFile now joins that lineage: watchTowr's Sonny and Piotr chained two CVEs into a full pre-auth RCE against its customer-managed gateway.
The two issues carry watchTowr's internal identifiers WT-2026-0006 (CVE-2026-2699) and WT-2026-0007 (CVE-2026-2701).
What the Storage Zone Controller is
Progress ShareFile — a Citrix product until Progress acquired it in 2024 — is a secure file-collaboration platform for sharing files, collecting signatures, requesting data, and running client workflows. On the surface it looks like a pure SaaS product, which would normally place it outside the scope of on-prem vulnerability research.
The catch is the Storage Zone Controller (SZC), an on-premises component organizations run themselves. It lets a company keep its data inside its own infrastructure — local file systems, SMB shares, or cloud bucket storage — while still using ShareFile's SaaS layer for access management and sharing. The SZC handles secure file transfers, authentication, and policy enforcement, so the customer controls where data physically lives while Progress manages access and sharing. That appeals to organizations with data-sovereignty rules, regulatory obligations, or policies against storing sensitive data in third-party clouds.
It also produces exactly the profile attackers love: an internet-facing, customer-managed component responsible for both authentication and file access.
How the research was done
watchTowr's goal was a full compromise from the perspective of an unauthenticated, external attacker. The SZC installs under IIS at C:\inetpub\wwwroot\ShareFile and is registered under the IIS Default Web Site.
ShareFile ships in two major branches:
- 6.x — built on .NET Core (not affected by these flaws)
- 5.x — built on ASP.NET (the vulnerable branch)
After extracting and decompiling the compiled .dll files into readable C#, the team stood up a production-like environment: an SZC connected to Progress's SaaS platform with a Primary Zone backed by a local file server. From there they applied a standard .NET web-app audit methodology:
- Enumerate every script entry point —
.aspx,.ashx, and.asmxfiles - Map the REST API routes declared in
web.configand backed by compiled DLLs - Probe the live application's responses to unauthenticated requests — status codes, content length, content type — to surface behavioral quirks that static analysis misses
That "poke the running app" approach matters: authentication quirks, caching behavior, and error-handling paths often only reveal themselves at runtime.
CVE-2026-2699: the authentication bypass
The first step was finding endpoints reachable without a session. The researchers systematically requested every .aspx file and watched how the server responded, mapping which paths enforced authentication and which did not. Endpoints surfaced during this sweep included /AdvancedStatus.aspx, /cifs/upload-streaming-2.aspx, and /cifs/upload.aspx.
That reconnaissance led to the authentication bypass now tracked as CVE-2026-2699. According to the public technical analysis, the root cause is insufficient access control combined with flawed redirect handling in the SZC web-management interface — categorized as improper access control (CWE-284) with an Execution After Redirect (EAR) condition. An unauthenticated remote attacker can reach restricted administrative configuration pages, which can lead to configuration changes on their own and, when chained, to full compromise.
The bug is rated critical, CVSS v3.1 base score 9.8, with vector:
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Only customer-managed (on-premises) SZC deployments are affected; ShareFile 6.x and cloud-hosted instances are not.
CVE-2026-2701: chaining into RCE
Once the authentication boundary was removed, the team chained the bypass straight into a remote code execution flaw, CVE-2026-2701, also in the 5.x branch. It allows arbitrary code execution on the server hosting the SZC — granting full control of the host and, by extension, every file managed through that zone.
Together the two collapse into a complete pre-authenticated RCE chain: no credentials, no prior foothold, and no user interaction. An attacker with network reach to a vulnerable SZC can go from zero to code execution in a single flow.
Detecting exposure
watchTowr published a non-destructive detection artifact generator for the authentication bypass. It sends a GET request to the /ConfigService/Admin.aspx endpoint and inspects the response to judge whether an instance is exploitable. Importantly, the tool does not perform full exploitation (zone takeover) and does not chain the bypass with the RCE.
$ python3 watchTowr-vs-Progress-ShareFile-CVE-2026-2699.py -H http://sharefile.lab.local
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \___| Y | |( <_> \ / | | \/
\/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__|
watchTowr-vs-Progress-ShareFile-CVE-2026-2699.py
(*) CVE-2026-2699 Progress ShareFile Authentication Bypass - Detection Artifact Generator
- Sonny and Piotr of watchTowr
CVEs: CVE-2026-2699
[+] Detection Artifact Generator Started
[+] Sending GET to /ConfigService/Admin.aspx
[+] PROBABLY VULNERABLE
Tooling and analysis are available here:
- watchTowr detection artifact generator (CVE-2026-2699)
- 0xBlackash CVE-2026-2699 detection scripts and technical write-up
Affected versions and patch status
Both vulnerabilities were responsibly disclosed and patched. Teams running the on-premises SZC should act immediately:
- Affected: StorageCenter_5.12.3 and earlier (5.x branch)
- Fixed in: StorageCenter_5.12.4
- Patch released: March 10, 2026
- Not affected: Branch 6.x (.NET Core) and cloud-hosted ShareFile
With about 30,000 internet-exposed instances identified, anyone still on 5.12.3 or earlier should treat the upgrade as critical and time-sensitive. File-transfer bugs are historically weaponized within days of disclosure, so delaying is not a defensible position.
Why file-transfer tools keep getting hit
The ShareFile disclosure reinforces a pattern defenders can't ignore. File-transfer platforms sit in a uniquely exposed position: internet-facing by design, trusted by internal systems, handling sensitive data, and frequently deprioritized in security review versus more visible infrastructure. Ransomware and extortion operators have repeatedly proven they can find and weaponize these flaws faster than organizations patch. MOVEit, GoAnywhere, Cleo, and now ShareFile all demand the same hygiene: prompt patching, minimized internet exposure, network segmentation, and continuous monitoring for anomalous file-access activity.
Bottom line
CVE-2026-2699 and CVE-2026-2701 chain into a complete pre-auth RCE against a platform trusted with sensitive organizational data, and even a fully up-to-date deployment was vulnerable before the March fix. If you run a ShareFile Storage Zone Controller, upgrade to StorageCenter_5.12.4 now — and assume attackers are already scanning for the ones that haven't.