Two newly disclosed vulnerabilities in Progress ShareFile, a widely used enterprise file transfer and collaboration platform, can be chained together to allow unauthenticated attackers to exfiltrate sensitive data and achieve full remote code execution (RCE) on exposed servers. Discovered by researchers at offensive security firm watchTowr, the flaws affect the Storage Zones Controller (SZC) component in ShareFile branch 5.x and have since been patched in version 5.12.4. Organizations running older versions should treat patching as an immediate priority.

What Is Progress ShareFile and Why Does It Matter?

Progress ShareFile is an enterprise-grade document sharing and collaboration solution favored by large and mid-sized organizations for its flexibility and security controls. One of its key features is the Storage Zones Controller (SZC), which gives customers the ability to host their own data either on-premises or through a third-party cloud provider, rather than relying solely on Progress-managed infrastructure.

This flexibility makes ShareFile attractive to organizations with strict data governance requirements — but it also expands the attack surface. Secure file transfer platforms have repeatedly proven to be high-value targets for ransomware and data extortion groups. Past campaigns exploiting similar products include:

  • Accellion FTA — targeted by the Clop ransomware group
  • SolarWinds Serv-U — exploited in targeted intrusions
  • GoAnywhere MFT — mass-exploited by Clop in 2023
  • MOVEit Transfer — subject to one of the largest data theft campaigns in recent history
  • Gladinet CentreStack and Cleo — both exploited in active ransomware operations

The pattern is clear: attackers follow the data. Any platform that aggregates sensitive enterprise files and exposes a management interface to the internet becomes a prime target.

The Two Vulnerabilities: CVE-2026-2699 and CVE-2026-2701

watchTowr identified and responsibly disclosed two distinct flaws between February 6 and 13, 2026. The full exploit chain was confirmed on February 18.

CVE-2026-2699: Authentication Bypass

The first vulnerability is an authentication bypass caused by improper handling of HTTP redirects within the ShareFile Storage Zones Controller. By exploiting this flaw, an unauthenticated attacker can gain unauthorized access to the ShareFile admin interface without supplying valid credentials. This foothold is the critical first step in the attack chain.

Once inside the admin interface, an attacker can modify Storage Zone configuration settings — including file storage paths and highly sensitive security parameters such as the zone passphrase and related secrets. The ability to read or set these values is what enables the second stage of the attack.

CVE-2026-2701: Remote Code Execution

The second flaw enables remote code execution by abusing the platform's file upload and extraction functionality. Specifically, attackers can use this vulnerability to place malicious ASPX webshells directly into the application's webroot directory, granting persistent, interactive control over the underlying server.

Executing this stage requires generating valid HMAC signatures and decrypting internal secrets — tasks that would normally be impossible for an unauthenticated attacker. However, because CVE-2026-2699 allows an adversary to control passphrase-related values, these cryptographic requirements become trivially achievable after the initial bypass.

How the Exploit Chain Works End-to-End

The combined attack flow is straightforward but devastating in its impact:

  • Step 1: Exploit CVE-2026-2699 to bypass authentication and access the ShareFile admin panel via manipulated HTTP redirects.
  • Step 2: Read or manipulate zone passphrases and internal secrets exposed through the admin interface.
  • Step 3: Use the extracted secrets to generate valid HMAC signatures required for the second exploit stage.
  • Step 4: Exploit CVE-2026-2701 to upload a malicious ASPX webshell into the application webroot, achieving unauthenticated remote code execution.

The result is complete server compromise — with no valid credentials required at any point in the chain.

Scope of Exposure: How Many Systems Are at Risk?

The internet-facing exposure of this vulnerability is significant. According to watchTowr's own scanning, approximately 30,000 Storage Zone Controller instances are exposed on the public internet. The ShadowServer Foundation reports a narrower but still notable figure of around 700 internet-exposed ShareFile instances, with the majority concentrated in the United States and Europe.

While no active in-the-wild exploitation has been confirmed at the time of writing, the public disclosure of a complete, weaponizable exploit chain dramatically increases the risk window. Threat actors — particularly ransomware groups with a known appetite for file transfer platforms — routinely monitor vulnerability disclosures and move quickly to operationalize new exploits.

Patch Details and Recommended Actions

Progress addressed both vulnerabilities in ShareFile version 5.12.4, released on March 10, 2026. Organizations using any version of ShareFile Storage Zone Controller in the 5.x branch prior to 5.12.4 are exposed to this attack chain.

Recommended actions include:

  • Patch immediately: Upgrade all ShareFile SZC instances to version 5.12.4 or later without delay.
  • Audit admin interface exposure: Ensure the ShareFile admin interface is not directly accessible from the public internet where possible.
  • Review logs for suspicious activity: Look for anomalous HTTP redirect patterns, unexpected configuration changes, or newly created files in the application webroot.
  • Rotate secrets and passphrases: If there is any possibility that the admin interface was accessed by unauthorized parties, treat all zone passphrases and related secrets as compromised and rotate them immediately.
  • Monitor threat intelligence feeds: Track reports of active exploitation from sources such as ShadowServer, CISA, and security vendors.

The Broader Threat Landscape for File Transfer Platforms

These ShareFile vulnerabilities arrive against a backdrop of sustained, targeted attacks against enterprise file transfer and managed file transfer (MFT) solutions. The Clop ransomware group, in particular, has demonstrated a repeatable playbook: identify a zero-day or newly patched vulnerability in a widely used file transfer platform, mass-exploit it before organizations can patch, and exfiltrate sensitive data for double extortion.

Secure file transfer platforms aggregate sensitive data from across an organization and typically operate with elevated permissions — making them one of the highest-value targets available to ransomware and data extortion actors.

The ShareFile Storage Zone Controller flaws fit this pattern precisely. A pre-authentication exploit chain requiring no user interaction and targeting a platform used by thousands of enterprises worldwide is exactly the kind of vulnerability that sophisticated threat groups prioritize.

Conclusion

The chained vulnerabilities in Progress ShareFile — CVE-2026-2699 and CVE-2026-2701 — represent a serious and immediately actionable threat to any organization running an unpatched Storage Zones Controller instance. The combination of an authentication bypass with a remote code execution primitive, all achievable without valid credentials, places this vulnerability chain in the highest tier of severity. With tens of thousands of potentially exposed instances and a history of similar platforms being mass-exploited by ransomware actors, the window for safe remediation is narrow. Patching to ShareFile 5.12.4 is not optional — it is urgent. Organizations that have not yet applied the March 10 update should do so immediately and conduct a thorough audit of any affected systems for signs of prior compromise.