Executive Summary

Security researchers at watchTowr Labs have publicly detailed an exploit for a critical vulnerability chain in customer-managed Progress ShareFile Storage Zones Controller (SZC). The attack combines two vulnerabilities: CVE-2026-2699, a 9.8 CVSS authentication bypass, and CVE-2026-2701, a 9.1 CVSS arbitrary file upload flaw. Chained together, they allow a remote, unauthenticated attacker to upload a web shell and achieve remote code execution (RCE), leading to a full compromise of the ShareFile server. Progress released a patch in version 5.12.4 on March 10, 2026, but the subsequent public PoC disclosure on April 2 puts tens of thousands of unpatched, internet-facing instances at immediate risk of attack. This situation is highly reminiscent of the 2023 MOVEit attacks, another Progress Software product that was mass-exploited.

Vulnerability Details

The attack is a two-stage process that leverages two distinct CVEs:

1. CVE-2026-2699 (CVSS 9.8 - Authentication Bypass): This initial vulnerability allows an unauthenticated attacker to access administrative configuration pages that should be protected. By exploiting this flaw, the attacker can modify server settings to enable the second stage of the attack.
2. CVE-2026-2701 (CVSS 9.1 - Arbitrary File Upload): After bypassing authentication, the attacker uses this second flaw to abuse the file upload and extraction functionality. This allows them to write a malicious ASPX web shell to a location on the server that is accessible from the web.

Once the web shell is in place, the attacker can interact with it to execute arbitrary commands on the underlying server with the privileges of the web service account, effectively compromising the entire system.

Affected Systems

The vulnerability chain affects the on-premise (customer-managed) Progress ShareFile Storage Zones Controller, specifically the 5.x branch.

• Vulnerable Versions: ShareFile Storage Zones Controller versions up to and including 5.12.3.
• Patched Version: ShareFile Storage Zones Controller 5.12.4 and later.

According to internet scans, nearly 30,000 instances of ShareFile Storage Zones Controller are exposed to the internet, with the highest concentration in the United States and Germany. Any of these running a vulnerable version are at high risk.

Exploitation Status

Progress released a patch on March 10, 2026. The public disclosure of the technical details and proof-of-concept by watchTowr Labs occurred on April 2, 2026. While there was no evidence of in-the-wild exploitation before the public disclosure, the availability of a detailed write-up and PoC code makes mass scanning and exploitation highly probable. Organizations with unpatched systems should assume they are being actively targeted.

Impact Assessment

A successful exploit of this vulnerability chain leads to a full takeover of the on-premise ShareFile server. The impact is severe:

• Data Breach: ShareFile servers are used to store and manage sensitive corporate files. An attacker can exfiltrate all data stored on the compromised server.
• Ransomware Deployment: The compromised server can be used as a beachhead to deploy ransomware across the victim's internal network.
• Pivot Point: Attackers can use the server to pivot and attack other systems within the organization's network.
• Reputational Damage: A breach of a file-sharing platform can cause significant damage to an organization's reputation, similar to the fallout from the MOVEit and Accellion FTA breaches.

Cyber Observables for Detection

• Web Logs: Monitor IIS logs on the ShareFile server for requests to administrative pages from unknown or external IP addresses. Look for POST requests that upload files with .aspx extensions or other web shell indicators.
• File System Monitoring: Use file integrity monitoring to alert on the creation of new .aspx, .asp, or .php files in web-accessible directories of the ShareFile application.
• Process Monitoring: Monitor the w3wp.exe (IIS worker) process for the spawning of unusual child processes like cmd.exe or powershell.exe, which is a strong indicator of web shell execution.

Detection & Response

Detection Methods:

1. Vulnerability Scanning: Immediately scan your external attack surface and internal networks for Progress ShareFile Storage Zones Controller instances and check their version numbers.
2. Log Analysis: Ingest IIS logs from ShareFile servers into a SIEM. Hunt for requests to configuration endpoints from external IPs, followed by file upload activity. This aligns with D3FEND Web Log Analysis.

Response Actions:

• If an unpatched, internet-facing system is discovered, assume it is compromised. Isolate it from the network immediately.
• Preserve logs and a forensic image of the server for investigation.
• Rebuild the server from a known-good state and apply the patch before bringing it back online.

Remediation Steps

1. Patch Immediately: The only effective remediation is to update all Progress ShareFile Storage Zones Controller instances to version 5.12.4 or newer. This is a critical, time-sensitive action. This is a direct application of D3FEND Software Update.
2. Restrict Access: If patching is delayed, immediately implement strict firewall rules to limit access to the ShareFile server from only trusted IP addresses. This is a temporary measure until patching can be completed.
3. Review Security Posture: Given that this is another critical vulnerability in a Progress file-transfer product, organizations using ShareFile should conduct a thorough security review and consider whether continued use of an on-premise, internet-facing file server aligns with their risk appetite.