Progress Software has issued an urgent advisory instructing customers running on-premises ShareFile Storage Zone Controllers to immediately power down the servers hosting these components, citing a “credible external security threat” against the platform.
The notice, sent directly to customers’ inboxes, states that Progress has no current indication of unauthorized access to ShareFile accounts or data, but is taking the drastic step as a precaution while it works with internal and external cybersecurity experts to assess the threat.
The email tells administrators that Progress has already disabled account access through Storage Zone Controllers for all affected customers, and separately demands manual shutdown of the underlying servers as a “critical additional step” to protect data.
Progress says it expects to share updates within 24 hours and has framed the move as an abundance-of-caution measure rather than confirmation of an active breach.
The company has not publicly detailed the nature of the threat, leaving open the possibility that it relates to a new zero-day or renewed exploitation attempts against the Storage Zone Controller architecture.
This is not the first security scare tied to ShareFile’s customer-managed gateway. In April 2026, watchTowr Labs disclosed two chainable vulnerabilities in Storage Zone Controller: CVE-2026-2699, an authentication bypass with a CVSS score of 9.8, and CVE-2026-2701, a remote code execution flaw scoring 9.1.
Chained together, the bugs allowed unauthenticated attackers to reach restricted configuration pages and upload malicious ASPX webshells to achieve full remote code execution without credentials.
Shadowserver Foundation identified roughly 784 internet-exposed instances at the time, with the United States and Germany showing the widest exposure, while watchTowr’s broader scan found nearly 30,000 visible instances. Progress patched the flaws in version 5.12.4, and the newer 6.x branch, built on .NET Core, was confirmed unaffected.
Given the platform’s history of critical pre-authentication RCE flaws, security teams should treat this new warning seriously even without technical details, isolating internet-facing Storage Zone Controller instances and monitoring for further guidance from Progress.
Stop Accepting SLAs Written for 2019 SOCs – Here’s the 2026 AI SLA Vendor Checklist – Download Free AI SOC SLA Guide

