A dangerous attack chain in Progress ShareFile that can allow attackers to take over exposed on-premises servers without first logging in.
The issues affect customer-managed ShareFile Storage Zones Controller 5.x deployments, and Progress says customers should upgrade to version 5.12.4 or move to any 6.x release, which is not impacted.
According to Progress and WatchTower, the first bug is an authentication bypass that exposes restricted configuration pages, while the second enables remote code execution via malicious file uploads and execution.
RunZero lists both flaws CVE-2026-2699 (CVSS 9.8) and CVE-2026-2701 (CVSS 9.1) as critical.
Progress ShareFile Vulnerability
The attack targets the ShareFile Storage Zones Controller. This on-premises component lets organizations store files in their own infrastructure while still using ShareFile’s cloud-based management interface.
That design is often used by enterprises with compliance, sovereignty, or internal security requirements, and watchTower estimated that around 30,000 Storage Zone Controller instances are internet-facing.
Because these servers sit at the edge of file-sharing workflows, they are especially attractive targets for ransomware groups and other threat actors.
WatchTowr found that the authentication bypass is caused by an Execution After Redirect condition on the Admin.aspx configuration page.
In simple terms, the application sends an HTTP 302 redirect to the login page. However, the page logic continues running, which can expose admin functionality to an unauthenticated user.
The researchers said this behavior is tied to the way the application uses a redirect function that does not properly stop execution.
After gaining access to the admin interface, an attacker can modify important zone settings, including storage paths and passphrase-related values.
That access becomes more serious because the second bug allows a malicious archive to be uploaded and extracted into a server-controlled path, including a web-accessible directory.
In the demonstrated chain, this allowed an ASPX webshell to be placed in the ShareFile webroot and for code to be executed remotely on the server.
Progress said it has not received reports of active exploitation so far. However, the vendor classified the issue as critical and published fixes on April 2, 2026.
WatchTower’s timeline shows the bugs were privately disclosed in February, replicated by Progress in mid-February, and fixed in ShareFile Storage Zones Controller 5.12.4 on March 10 before public disclosure in April.
For defenders, the priority is clear: identify any exposed ShareFile Storage Zones Controller 5.x systems, patch immediately, and review them for suspicious configuration changes or unexpected files in web-facing directories.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
