Researchers at offensive security firm watchTowr have disclosed two vulnerabilities in Progress ShareFile's Storage Zones Controller (SZC) that, when chained, give an unauthenticated attacker the ability to steal data and run arbitrary code on internet-facing servers. Tracked as CVE-2026-2699 (an authentication bypass rated CVSS 9.8) and CVE-2026-2701 (remote code execution), the flaws affect customer-managed SZC deployments in the ShareFile 5.x branch up to and including 5.12.3. Progress fixed both issues in version 5.12.4, released on March 10, 2026. Any organization still running an older 5.x Storage Zones Controller should patch immediately.

What ShareFile and the Storage Zones Controller do

Progress ShareFile is an enterprise document-sharing and collaboration platform widely deployed by mid-sized and large organizations that need granular security controls over file transfer. Its Storage Zones Controller component lets customers keep their data on infrastructure they control — either on-premises or with a third-party cloud provider — rather than relying solely on Progress-managed storage.

That flexibility is exactly what appeals to organizations with strict data-governance rules, but it also pushes a sensitive management interface onto the network edge. Secure and managed file transfer (MFT) platforms have a long history of being singled out by ransomware and extortion crews precisely because they pool large volumes of sensitive data behind an internet-reachable console. Recent examples include:

  • Accellion FTA — hit by the Clop ransomware group
  • SolarWinds Serv-U — abused in targeted intrusions
  • GoAnywhere MFT — mass-exploited by Clop in 2023
  • MOVEit Transfer — the basis of one of the largest data-theft campaigns on record
  • Gladinet CentreStack and Cleo — both leveraged in active ransomware operations

The lesson repeats itself: attackers go where the data is, and any platform that aggregates enterprise files while exposing an admin interface becomes a priority target.

The two vulnerabilities

watchTowr reported the flaws to Progress between February 6 and February 13, 2026, and confirmed the complete working exploit chain on February 18.

CVE-2026-2699 — pre-auth authentication bypass

The first bug is a critical authentication bypass in the SZC web management interface, assigned a CVSS v3.1 base score of 9.8 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It is classified as improper access control (CWE-284) combined with an Execution After Redirect (EAR) weakness. The root cause is insufficient access control and flawed handling of HTTP redirects: the interface lets an unauthenticated request reach configuration pages it should never be able to load.

Once past that boundary, an attacker can read and alter Storage Zone configuration — including file storage paths and, more importantly, sensitive security parameters such as the zone passphrase and related secrets. Control over those values is what makes the second stage viable.

Per the GitHub advisory by 0xBlackash, only customer-managed (on-premises) Storage Zones Controller deployments running 5.x up to 5.12.3 are affected. ShareFile 6.x and the cloud-hosted service are not impacted.

CVE-2026-2701 — remote code execution

The second flaw turns that configuration access into code execution by abusing ShareFile's file upload and extraction functionality. An attacker can drop a malicious ASPX webshell straight into the application's webroot, giving them persistent, interactive control over the host.

Reaching this stage normally requires generating valid HMAC signatures and decrypting internal secrets — operations that should be out of reach for an unauthenticated user. But because CVE-2026-2699 hands the attacker control over the passphrase-related values those operations depend on, the cryptographic gating collapses, and the upload becomes trivially achievable.

How the chain works end to end

The combined flow is short but complete:

  1. Bypass authentication by exploiting CVE-2026-2699 — manipulated HTTP redirects grant access to the SZC admin panel with no credentials.
  2. Read or modify the zone passphrases and internal secrets now exposed through that admin interface.
  3. Forge valid HMAC signatures using the recovered secrets, satisfying the cryptographic prerequisites of the RCE stage.
  4. Upload an ASPX webshell to the application webroot via CVE-2026-2701, yielding unauthenticated remote code execution.

The end state is full server compromise without a single valid credential at any point.

Exposure and risk

The internet-facing footprint is substantial. watchTowr's own scanning identified roughly 30,000 Storage Zones Controller instances reachable on the public internet. The ShadowServer Foundation reports a tighter count of around 700 internet-exposed ShareFile instances, concentrated mainly in the United States and Europe.

No in-the-wild exploitation had been confirmed at the time of disclosure. However, publishing a complete, weaponizable chain sharply widens the risk window — ransomware groups with a documented appetite for file transfer platforms routinely watch disclosures and rush to operationalize new exploits.

Patch details and recommended actions

Progress remediated both vulnerabilities in ShareFile 5.12.4, released March 10, 2026. Every SZC instance on a 5.x release prior to 5.12.4 is exposed to the chain.

  • Patch now: upgrade all ShareFile SZC instances to 5.12.4 or later without delay.
  • Restrict admin exposure: keep the ShareFile admin interface off the public internet wherever feasible.
  • Hunt in logs: review for anomalous HTTP redirect patterns, unexpected configuration changes, and newly created files in the application webroot — particularly .aspx files.
  • Rotate secrets: if there is any chance the admin interface was reached by an unauthorized party, treat all zone passphrases and related secrets as compromised and rotate them.
  • Track threat intel: monitor reporting from ShadowServer, CISA, and security vendors for signs of active exploitation.

Why file transfer platforms keep getting hit

These flaws land amid a sustained pattern of attacks on enterprise and managed file transfer products. Clop in particular has run the same playbook repeatedly: find a zero-day or freshly patched flaw in a widely deployed transfer platform, mass-exploit it before defenders can apply updates, and steal data for double extortion. These systems aggregate sensitive files from across an organization and typically run with elevated permissions, which makes them some of the highest-value targets available to extortion actors.

The ShareFile SZC chain fits that profile exactly — a pre-authentication, no-interaction path to RCE on a platform used by thousands of enterprises is precisely what sophisticated groups prioritize.

References