Skip to content
Vulnerability exploitOngoing

Progress orders ShareFile customers to shut down Storage Zone Controllers over a 'credible external security threat'

Progress Software told ShareFile customers to manually power off their self-hosted Storage Zone Controllers after identifying a credible external security threat to the file-sharing product, echoing the critical pre-authentication flaws recently disclosed in the same component.

Victim
Progress ShareFile
CVECVE-2026-2699CVE-2026-2701

On 10 July 2026, Progress Software โ€” the Burlington, Massachusetts vendor behind the ShareFile managed file-transfer platform โ€” took the unusual step of telling customers to manually power off the servers hosting their Storage Zone Controllers after identifying what it called a "credible external security threat." The directive became public when a customer posted the emailed instruction to Reddit's r/sysadmin community, and it was quickly corroborated by Progress's own status page, which soon listed Storage Zone Controller customers as "not operational" while the company investigated.

The warning applies specifically to the Storage Zones Controller, the self-hosted Windows component that lets organisations keep files on their own infrastructure while still using ShareFile's cloud to share and manage them; standard cloud-only ShareFile accounts are not affected. Progress stressed that disabling access through the ShareFile cloud alone was insufficient โ€” customers were told they "must manually shut down the server hosting your Storage Zone Controllers," framing the shutdown as "a critical additional step to ensure the safety of your data." As of the initial disclosures the company said it had no indication of unauthorised access to any ShareFile account or data, and it did not name the threat, disclose whether a zero-day was involved, or attribute the activity to any actor.

A component with a fresh history of critical flaws

The emergency directive lands only months after two critical pre-authentication vulnerabilities were disclosed in the very same component. In February 2026 Progress confirmed CVE-2026-2699, an authentication-bypass flaw carrying a maximum-severity CVSS 9.8, paired with CVE-2026-2701, a remote-code-execution issue rated 9.1. Chained together, the bugs let an unauthenticated attacker reach restricted configuration pages and upload a malicious ASPX webshell for full remote code execution. On 2 April 2026, watchTowr Labs published a working proof-of-concept exploit chain, and internet scans at the time counted anywhere from several hundred exposed instances to nearly 30,000 visible Storage Zones Controllers worldwide, with the United States and Germany the most heavily represented.

Why it matters

ShareFile sits in the same category of internet-facing managed file-transfer software โ€” alongside MOVEit, GoAnywhere and Accellion โ€” that has repeatedly been mass-exploited to steal data at scale, and the Storage Zones Controller lineage carries its own precedent: in 2023, while the product still belonged to Citrix, attackers actively exploited an unauthenticated flaw (CVE-2023-24489) in the same controller. Progress's decision to instruct customers to pull the servers entirely, rather than simply apply a patch, signals a threat serious enough that no fix was yet available to rely on. Until Progress publishes further detail, administrators running self-hosted Storage Zone Controllers face an unwelcome choice between prolonged downtime and exposure to a threat the vendor has judged credible but has not yet described.

Timeline

  1. Progress confirms CVE-2026-2699, a critical authentication-bypass flaw (CVSS 9.8) in the ShareFile Storage Zones Controller, alongside the CVE-2026-2701 remote-code-execution issue.

  2. watchTowr Labs publishes a full pre-authentication remote-code-execution exploit chain and proof-of-concept for the two flaws.

  3. A customer posts to Reddit's r/sysadmin an emailed Progress directive instructing ShareFile customers to manually shut down the Windows servers hosting their Storage Zone Controllers over a 'credible external security threat'.

  4. Progress lists Storage Zone Controller customers as 'not operational' on its status page and describes the incident as under investigation.

Sources

  1. thehackernews.comhttps://thehackernews.com/2026/07/urgent-progress-tells-sharefile.html
  2. bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/progress-urges-sharefile-customers-to-shut-down-servers-over-credible-threat/
  3. scworld.comhttps://www.scworld.com/brief/progress-software-warns-sharefile-users-of-external-security-threat
  4. watchtowr.comhttps://watchtowr.com/resources/progress-sharefile-storage-zone-controller-pre-auth-rce-cve-2026-2699-cve-2026-2701/

Related incidents