Progress ShareFile Pre-Auth RCE: CVE-2026-2699 & CVE-2026-2701

Yet Another File Transfer Solution in the Crosshairs

If the CISA Known Exploited Vulnerabilities (KEV) catalog has taught security teams anything, it's that file transfer solutions are an enduring favorite target for threat actors, ransomware gangs, and nation-state APT groups alike. From the catastrophic MOVEit breach of 2023 to Cleo Harmony's exploitation in 2024 and Fortra's GoAnywhere vulnerabilities in 2025, the pattern is unmistakable. Now, researchers at watchTowr have added Progress ShareFile to that lineage — disclosing a pre-authenticated remote code execution (RCE) chain composed of two newly assigned CVEs: CVE-2026-2699 (Authentication Bypass) and CVE-2026-2701 (Remote Code Execution).

Both vulnerabilities affect ShareFile's on-premises Storage Zone Controller, specifically the 5.x branch, and were present in the then-latest version StorageCenter_5.12.3 at the time of research. Patches were released in version 5.12.4 on March 10, 2026. With roughly 30,000 instances of the Storage Zone Controller exposed on the public internet, the potential attack surface is significant.

What Is Progress ShareFile and Its Storage Zone Controller?

Progress ShareFile — formerly a Citrix product before being acquired by Progress in 2024 — is a secure file collaboration platform designed for businesses to share files, collect signatures, request data, and manage workflows with clients. At first glance, ShareFile appears to be a purely SaaS-based offering, which would typically place it outside the scope of on-premises vulnerability research.

However, ShareFile maintains an on-premises component called the Storage Zone Controller. This customer-managed gateway allows organizations to keep their data within their own infrastructure — whether on local file systems, SMB servers, or cloud bucket storage — while still leveraging ShareFile's SaaS interface for access management and sharing. This architecture is particularly appealing to organizations with strict data sovereignty requirements, regulatory compliance obligations, or internal security policies that prohibit storing sensitive data in third-party infrastructure.

The Storage Zone Controller handles secure file transfers, authentication, and policy enforcement, letting customers control where data lives while ShareFile manages access and sharing.

This hybrid model creates a meaningful attack surface: an internet-facing component, customer-managed, and responsible for authentication and file access — exactly the profile that threat actors have historically weaponized.

The Research Methodology: Dissecting a .NET IIS Application

The watchTowr researchers approached the Storage Zone Controller with a clear objective: achieve a full compromise from a pre-authenticated, external attacker's perspective. The application is installed under IIS at C:\inetpub\wwwroot\ShareFile and registered under the IIS Default Web Site.

ShareFile's codebase comes in two major branches:

Branch 6.x — Built on .NET Core
Branch 5.x — Built on ASP.NET (the affected branch)

After extracting and decompiling all compiled .dll files into readable C# code, the researchers set up a fully configured production-like environment — connecting the Storage Zone Controller to Progress's SaaS platform and configuring a Primary Zone backed by a local file server.

Their methodology followed a structured approach common to .NET web application audits:

Enumerate all script-based entry points: .aspx, .ashx, and .asmx files
Analyze REST API routes defined in web.config and backed by compiled DLL code
Observe how the live application responds to unauthenticated requests — status codes, content length, content type — to identify behavioral anomalies not immediately obvious in static code analysis

This "poke the live application" approach is critical: applications in motion often reveal authentication logic quirks, caching behaviors, and error handling paths that static analysis alone misses.

CVE-2026-2699: Authentication Bypass (WT-2026-0006)

The first step in the attack chain was identifying endpoints reachable without authentication. Researchers began by systematically requesting every .aspx file within the application, observing server responses to map out which paths enforce authentication and which do not.

Among the enumerated endpoints were paths such as /AdvancedStatus.aspx, /cifs/upload-streaming-2.aspx, and /cifs/upload.aspx. This reconnaissance phase ultimately led to the discovery of an authentication bypass vulnerability — allowing an unauthenticated attacker to interact with functionality that should be restricted to authenticated sessions.

Authentication bypass vulnerabilities in file transfer solutions are particularly dangerous because they collapse the primary security boundary. Once an attacker can interact with authenticated functionality without valid credentials, the question becomes not whether deeper exploitation is possible, but how quickly it can be achieved.

CVE-2026-2701: Remote Code Execution (WT-2026-0007)

With the authentication barrier removed, the researchers were able to chain the bypass directly into a remote code execution vulnerability. The RCE flaw, also present in the 5.x branch, allowed arbitrary code to be executed on the underlying server hosting the Storage Zone Controller — granting an attacker complete control over the system and, by extension, access to all files managed through that zone.

The combination of these two vulnerabilities forms a fully pre-authenticated RCE chain: no credentials, no prior access, no user interaction required. An attacker with network access to a vulnerable ShareFile Storage Zone Controller could achieve code execution in a single exploit flow.

Patch Status and Affected Versions

Both vulnerabilities were responsibly disclosed and have been addressed. Organizations running ShareFile's on-premises Storage Zone Controller should take immediate action:

Affected version: StorageCenter_5.12.3 and earlier (5.x branch)
Fixed version: StorageCenter_5.12.4
Patch release date: March 10, 2026
Branch 6.x (.NET Core): Not affected by these specific vulnerabilities

With approximately 30,000 internet-exposed instances identified, organizations that have not yet applied the 5.12.4 patch should treat this as a critical, time-sensitive remediation. Given the historical pattern of file transfer vulnerabilities being rapidly weaponized — often within days of public disclosure — delay is not a viable strategy.

The Broader Pattern: Why File Transfer Tools Keep Getting Exploited

The ShareFile disclosure reinforces a pattern that defenders cannot afford to ignore. File transfer solutions occupy a uniquely privileged position in enterprise environments: they are internet-facing by design, they handle sensitive data, they are trusted by internal systems, and they are often deprioritized for security review compared to more visible infrastructure.

Threat actors — particularly ransomware operators and data extortion groups — have consistently demonstrated the ability to identify and operationalize vulnerabilities in these platforms faster than organizations can patch. MOVEit, GoAnywhere, Cleo, and now ShareFile represent a category of risk that demands proactive security hygiene: regular patching, minimizing internet exposure where possible, network segmentation, and continuous monitoring for anomalous file access patterns.

Conclusion: Patch Now, Monitor Always

The watchTowr research into Progress ShareFile is a timely reminder that even fully-patched enterprise software can harbor critical pre-authentication vulnerabilities. CVE-2026-2699 and CVE-2026-2701, when chained together, deliver a complete pre-auth RCE capability against a platform trusted with sensitive organizational data.

For security teams managing ShareFile deployments: upgrade to StorageCenter_5.12.4 immediately. For the broader security community, this research underscores the ongoing importance of offensive security research targeting file transfer infrastructure — the threat actors certainly haven't stopped looking.