Critical Exploit Chain Discovered in Progress ShareFile Storage Zone Controller
The cybersecurity landscape has recently faced a significant upheaval following the disclosure of critical vulnerabilities in the Progress ShareFile Storage Zone Controller by security researchers at watchTowr Labs. This revelation has raised immediate concerns among organizations that utilize this software, as it exposes them to potential exploitation by malicious actors.
The vulnerabilities are tracked as CVE-2026-2699 and CVE-2026-2701, both of which enable unauthenticated attackers to execute remote code execution (RCE) on compromised servers. This means that attackers can gain complete control over vulnerable systems, which poses grave risks, especially for organizations with sensitive data to protect. With approximately 30,000 instances of the software exposed to the public internet, experts are urgently advising organizations to implement patches without delay to safeguard against potential catastrophic data breaches.
Managed file transfer (MFT) solutions have increasingly become prime targets for advanced persistent threat (APT) groups and ransomware syndicates. Following high-profile breaches involving tools such as MOVEit, Cleo Harmony, and GoAnywhere, threat actors are continually on the lookout for unpatched vulnerabilities in data-sharing gateways. The newly identified flaws in ShareFile represent a particularly lucrative opportunity for attackers seeking to infiltrate corporate networks and exfiltrate sensitive intellectual property.
The Target: Storage Zone Controller
The Progress ShareFile operates a widely-utilized Software as a Service (SaaS) platform. However, many enterprises choose to employ the on-premises Storage Zone Controller to fulfill their data sovereignty requirements and ensure regulatory compliance. This sophisticated software acts as a customer-managed gateway, allowing organizations to store files on local network shares or secure private cloud environments while still employing the ShareFile web interface for broader accessibility.
The identified vulnerabilities are wholly contained within this self-hosted application. The first vulnerability, CVE-2026-2699, revolves around an authentication bypass found within the administrator configuration panel. When an unauthenticated user attempts to access this endpoint, the application typically issues an HTTP 302 redirect to direct the user to a secure login page. However, researchers discovered a glaring coding error in the underlying C# codebase. Developers inadvertently passed a false boolean flag to the .Redirect() function, which indicates to the server not to terminate the execution of the page post-redirect. This type of vulnerability, referred to as “Execution After Redirect” (EAR), allows attackers to intercept the HTTP response, bypass the login requirement, and access the fully functional admin panel without needing any credentials.
Achieving Remote Code Execution
With administrative access obtained, attackers can further exploit the second vulnerability, CVE-2026-2701, to achieve remote code execution. Within the Storage Zone Controller, administrators are allowed to configure a “Network Share Location” for user uploads. While the application does check for read and write permissions on the specified path, it glaringly neglects to validate whether the path represents a legitimate and secure storage directory. This oversight can be exploited by malicious actors who might manipulate the storage destination to point directly to the application’s public webroot, allowing the upload of a nefarious ASPX web shell disguised as a legitimate file. Once the attacker navigates to this uploaded script through their browser, they gain full and unauthorized control over the server.
These vulnerabilities specifically affect Branch 5.x of the ShareFile Storage Zone Controller, which is built on the ASP.NET framework. The flaws were verified by watchTowr Labs in version 5.12.3, and they were subsequently addressed by Progress in version 5.12.4. This update was discreetly rolled out to customers on March 10, 2026.
Security teams are strongly encouraged to upgrade their Storage Zone Controllers to version 5.12.4 or later as a matter of immediate priority. In addition, security personnel should actively monitor web server logs for any suspicious requests directed at configuration endpoints, inspect the webroot for any unexpected ASPX files, and ensure that on-premises file gateways are fortified behind robust firewalls whenever possible.
In summary, the recent disclosures regarding vulnerabilities within the Progress ShareFile Storage Zone Controller underscore the urgency for organizations using this software to act swiftly. By patching these vulnerabilities and adopting comprehensive monitoring strategies, companies can better protect their sensitive data against the rising tide of cyber threats. The combination of heightened awareness and proactive measures is crucial in these evolving times of technology and cybersecurity.