Two critical-severity vulnerabilities in the ShareFile content collaboration and file-sharing platform could be chained together for unauthenticated remote code execution (RCE), attack surface management firm WatchTowr warns.
One of the bugs, tracked as CVE-2026-2699 (CVSS score of 9.8), allows unauthenticated attackers to access configuration pages that should be restricted.
According to WatchTowr, the flaw is an Execution After Redirect (EAR) issue that was uncovered when attempting to access an administrative endpoint through the browser.
While the browser did redirect to a login page that could only be accessed from the local host, thus resulting in an error, the header contained more information than normal.
By modifying the HTTP response and dropping the Location header, the cybersecurity firm obtained access to an admin page for Storage Zone configurations.
This allowed the company to configure a Zone to connect to a local network, modify various Zone parameters, including the current ShareFile passphrase, and force a victim Storage Zone Controller to join a malicious Zone, without authentication.
“We could change the victim’s Storage Repository to point to an AWS S3 Bucket we control, meaning that when files are synced or uploaded to the instance, they’re sent to a repository we can control, effectively exfiltrating sensitive files,” WatchTowr notes.
By connecting a victim Controller to their Zone, an attacker gains administrative access to that file storage solution and can abuse built-in functionality to upload files to arbitrary locations.
“Products like this typically allow you to specify the file storage location. We could just reconfigure ShareFile to store uploaded files in a potentially dangerous location, such as the application’s webroot directory,” the cybersecurity firm notes.
Digging through the application’s file upload functionality, WatchTowr discovered CVE-2026-2701 (CVSS score of 9.1), an arbitrary file upload issue it could exploit to drop a web shell and achieve RCE.
Next, the cybersecurity firm managed to chain the two vulnerabilities to achieve unauthenticated RCE on a vulnerable ShareFile instance.
Both issues were reported to ShareFile in early February and were addressed in version 5.12.4 of the application. ShareFile versions 6.x are not affected.
Related: Critical Vulnerability in Claude Code Emerges Days After Source Leak
Related: Exploitation of Fresh Citrix NetScaler Vulnerability Begins
Related: Exploitation of Critical Fortinet FortiClient EMS Flaw Begins
Related: CISA Flags Critical PTC Vulnerability That Had German Police Mobilized
