[{"data":1,"prerenderedAt":146},["ShallowReactive",2],{"article-slug-critical-rce-vulnerability-chain-in-progress-sharefile-disclosed":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":28,"sources":37,"events":58,"mitre_techniques":65,"mitre_mitigations":78,"d3fend_countermeasures":98,"iocs":107,"cyber_observables":108,"tags":124,"extract_datetime":130,"article_type":131,"impact_scope":132,"pub_date":144,"reading_time_minutes":145,"createdAt":130,"updatedAt":130},"95615e4e-a713-41f1-91cc-5532ea82121f","critical-rce-vulnerability-chain-in-progress-sharefile-disclosed","Critical RCE Chain in Progress ShareFile Allows Unauthenticated Takeover","Critical RCE Chain (CVE-2026-2699 & CVE-2026-2701) in Progress ShareFile Disclosed","Security researchers have publicly disclosed a critical vulnerability chain in the on-premise version of Progress ShareFile Storage Zones Controller. The chain combines an authentication bypass (CVE-2026-2699, CVSS 9.8) and a file upload flaw (CVE-2026-2701, CVSS 9.1), allowing an unauthenticated attacker to achieve remote code execution (RCE) and take over the server. Although Progress patched the flaws in March, the public disclosure of technical details increases the risk for the nearly 30,000 internet-exposed instances that remain unpatched.","## Executive Summary\n\nSecurity researchers at watchTowr Labs have publicly detailed an exploit for a critical vulnerability chain in customer-managed **[Progress](https://www.progress.com/)** ShareFile Storage Zones Controller (SZC). The attack combines two vulnerabilities: **[CVE-2026-2699](https://www.cve.org/CVERecord?id=CVE-2026-2699)**, a 9.8 CVSS authentication bypass, and **[CVE-2026-2701](https://www.cve.org/CVERecord?id=CVE-2026-2701)**, a 9.1 CVSS arbitrary file upload flaw. Chained together, they allow a remote, unauthenticated attacker to upload a web shell and achieve remote code execution (RCE), leading to a full compromise of the ShareFile server. Progress released a patch in version 5.12.4 on March 10, 2026, but the subsequent public PoC disclosure on April 2 puts tens of thousands of unpatched, internet-facing instances at immediate risk of attack. This situation is highly reminiscent of the 2023 MOVEit attacks, another Progress Software product that was mass-exploited.\n\n---\n\n## Vulnerability Details\n\nThe attack is a two-stage process that leverages two distinct CVEs:\n\n1.  **CVE-2026-2699 (CVSS 9.8 - Authentication Bypass):** This initial vulnerability allows an unauthenticated attacker to access administrative configuration pages that should be protected. By exploiting this flaw, the attacker can modify server settings to enable the second stage of the attack.\n2.  **CVE-2026-2701 (CVSS 9.1 - Arbitrary File Upload):** After bypassing authentication, the attacker uses this second flaw to abuse the file upload and extraction functionality. This allows them to write a malicious ASPX web shell to a location on the server that is accessible from the web.\n\nOnce the web shell is in place, the attacker can interact with it to execute arbitrary commands on the underlying server with the privileges of the web service account, effectively compromising the entire system.\n\n---\n\n## Affected Systems\n\nThe vulnerability chain affects the on-premise (customer-managed) Progress ShareFile Storage Zones Controller, specifically the 5.x branch.\n\n- **Vulnerable Versions:** ShareFile Storage Zones Controller versions up to and including 5.12.3.\n- **Patched Version:** ShareFile Storage Zones Controller 5.12.4 and later.\n\nAccording to internet scans, nearly 30,000 instances of ShareFile Storage Zones Controller are exposed to the internet, with the highest concentration in the United States and Germany. Any of these running a vulnerable version are at high risk.\n\n---\n\n## Exploitation Status\n\nProgress released a patch on March 10, 2026. The public disclosure of the technical details and proof-of-concept by watchTowr Labs occurred on April 2, 2026. While there was no evidence of in-the-wild exploitation *before* the public disclosure, the availability of a detailed write-up and PoC code makes mass scanning and exploitation highly probable. Organizations with unpatched systems should assume they are being actively targeted.\n\n---\n\n## Impact Assessment\n\nA successful exploit of this vulnerability chain leads to a full takeover of the on-premise ShareFile server. The impact is severe:\n\n- **Data Breach:** ShareFile servers are used to store and manage sensitive corporate files. An attacker can exfiltrate all data stored on the compromised server.\n- **Ransomware Deployment:** The compromised server can be used as a beachhead to deploy ransomware across the victim's internal network.\n- **Pivot Point:** Attackers can use the server to pivot and attack other systems within the organization's network.\n- **Reputational Damage:** A breach of a file-sharing platform can cause significant damage to an organization's reputation, similar to the fallout from the MOVEit and Accellion FTA breaches.\n\n---\n\n## Cyber Observables for Detection\n\n- **Web Logs:** Monitor IIS logs on the ShareFile server for requests to administrative pages from unknown or external IP addresses. Look for POST requests that upload files with `.aspx` extensions or other web shell indicators.\n- **File System Monitoring:** Use file integrity monitoring to alert on the creation of new `.aspx`, `.asp`, or `.php` files in web-accessible directories of the ShareFile application.\n- **Process Monitoring:** Monitor the `w3wp.exe` (IIS worker) process for the spawning of unusual child processes like `cmd.exe` or `powershell.exe`, which is a strong indicator of web shell execution.\n\n| Type | Value | Description |\n|---|---|---|\n| `url_pattern` | `*/Config.aspx` | Access to administrative configuration pages from unauthenticated sources. |\n| `file_name` | `*.aspx` | Creation of ASPX files in web directories, indicative of a web shell. |\n| `process_name` | `w3wp.exe` | Look for this process spawning command shells. |\n\n---\n\n## Detection & Response\n\n**Detection Methods:**\n1.  **Vulnerability Scanning:** Immediately scan your external attack surface and internal networks for Progress ShareFile Storage Zones Controller instances and check their version numbers.\n2.  **Log Analysis:** Ingest IIS logs from ShareFile servers into a SIEM. Hunt for requests to configuration endpoints from external IPs, followed by file upload activity. This aligns with **[D3FEND Web Log Analysis](https://d3fend.mitre.org/technique/d3f:WebLogAnalysis)**.\n\n**Response Actions:**\n- If an unpatched, internet-facing system is discovered, assume it is compromised. Isolate it from the network immediately.\n- Preserve logs and a forensic image of the server for investigation.\n- Rebuild the server from a known-good state and apply the patch before bringing it back online.\n\n---\n\n## Remediation Steps\n\n1.  **Patch Immediately:** The only effective remediation is to update all Progress ShareFile Storage Zones Controller instances to version 5.12.4 or newer. This is a critical, time-sensitive action. This is a direct application of **[D3FEND Software Update](https://d3fend.mitre.org/technique/d3f:SoftwareUpdate)**.\n2.  **Restrict Access:** If patching is delayed, immediately implement strict firewall rules to limit access to the ShareFile server from only trusted IP addresses. This is a temporary measure until patching can be completed.\n3.  **Review Security Posture:** Given that this is another critical vulnerability in a Progress file-transfer product, organizations using ShareFile should conduct a thorough security review and consider whether continued use of an on-premise, internet-facing file server aligns with their risk appetite.","🚨 CRITICAL RCE CHAIN in Progress ShareFile disclosed! An auth bypass (CVE-2026-2699) + file upload (CVE-2026-2701) allows full server takeover. 30k instances exposed. Patch now! #RCE #Vulnerability #ShareFile #CyberSecurity","A critical, unauthenticated RCE vulnerability chain (CVE-2026-2699, CVE-2026-2701) in Progress ShareFile has been disclosed, putting thousands of on-premise servers at risk. Patch immediately.",[13,14,15],"Vulnerability","Cyberattack","Patch Management","critical",[18,22,25],{"name":19,"type":20,"url":21},"Progress Software","vendor","https://www.progress.com/",{"name":23,"type":24},"ShareFile Storage Zones Controller","product",{"name":26,"type":27},"watchTowr Labs","security_organization",[29,33],{"id":30,"cvss_score":31,"kev":32,"severity":16},"CVE-2026-2699",9.8,false,{"id":34,"cvss_score":35,"kev":32,"severity":36},"CVE-2026-2701",9.1,"high",[38,43,48,53],{"url":39,"title":40,"friendly_name":41,"website":42},"https://research.checkpoint.com/2026/04/06/6th-april-threat-intelligence-report/","6th April – Threat Intelligence Report","Check Point Research","checkpoint.com",{"url":44,"title":45,"friendly_name":46,"website":47},"https://socradar.io/progress-sharefile-flaws-cve-2026-2699-cve-2026-2701-rce/","Progress ShareFile Flaws CVE-2026-2699 & CVE-2026-2701 RCE","SOCRadar","socradar.io",{"url":49,"title":50,"friendly_name":51,"website":52},"https://www.cybersecuritydive.com/news/progress-sharefile-vulnerabilities-rce/712128/","Researchers warn of critical flaws in Progress ShareFile","Cybersecurity Dive","cybersecuritydive.com",{"url":54,"title":55,"friendly_name":56,"website":57},"https://www.arcticwolf.com/resources/blog/cve-2026-2699-cve-2026-2701-progress-sharefile-storage-zones-controller-pre-auth-rce-chain","CVE-2026-2699 & CVE-2026-2701: Progress ShareFile Storage Zones Controller Pre-Auth RCE Chain","Arctic Wolf","arcticwolf.com",[59,62],{"datetime":60,"summary":61},"2026-03-10T00:00:00Z","Progress releases ShareFile version 5.12.4, patching the vulnerabilities.",{"datetime":63,"summary":64},"2026-04-02T00:00:00Z","watchTowr Labs publishes a technical write-up and proof-of-concept for the vulnerability chain.",[66,70,74],{"id":67,"name":68,"tactic":69},"T1190","Exploit Public-Facing Application","Initial Access",{"id":71,"name":72,"tactic":73},"T1068","Exploitation for Privilege Escalation","Privilege Escalation",{"id":75,"name":76,"tactic":77},"T1505.003","Web Shell","Persistence",[79,89],{"id":80,"name":81,"d3fend_techniques":82,"description":87,"domain":88},"M1051","Update Software",[83],{"id":84,"name":85,"url":86},"D3-SU","Software Update","https://d3fend.mitre.org/technique/d3f:SoftwareUpdate","Applying the patch from Progress is the only definitive way to remediate the vulnerability.","enterprise",{"id":90,"name":91,"d3fend_techniques":92,"description":97,"domain":88},"M1035","Limit Access to Resource Over Network",[93],{"id":94,"name":95,"url":96},"D3-NI","Network Isolation","https://d3fend.mitre.org/technique/d3f:NetworkIsolation","Restricting access to the ShareFile server via firewall rules can serve as a temporary compensating control.",[99,101],{"technique_id":84,"technique_name":85,"url":86,"recommendation":100,"mitre_mitigation_id":80},"The primary, and only truly effective, defense against this vulnerability chain is to update all on-premise Progress ShareFile Storage Zones Controller instances to version 5.12.4 or later. Given the public availability of a proof-of-concept exploit, this should be treated as an emergency change. Organizations must use their asset inventory and vulnerability management systems to identify all instances of ShareFile SZC, confirm their versions, and deploy the patch immediately. The history of mass exploitation of Progress Software products (e.g., MOVEit) demonstrates that threat actors will move quickly to scan for and compromise unpatched systems.",{"technique_id":102,"technique_name":103,"url":104,"recommendation":105,"mitre_mitigation_id":106},"D3-WLA","Web Log Analysis","https://d3fend.mitre.org/technique/d3f:WebLogAnalysis","For detection and hunting, security teams must focus on analyzing the IIS web logs from their ShareFile servers. Ingest these logs into a SIEM and create rules to detect the two key stages of the attack. First, alert on any access to administrative URLs like `/config.aspx` from IP addresses that are not on a pre-defined allow-list of administrator IPs. This detects the authentication bypass. Second, create an alert for any HTTP POST request that results in the creation of a file with an executable web extension (e.g., `.aspx`, `.ashx`) in the ShareFile web directory. Correlating these two events from the same source IP within a short timeframe is a high-fidelity indicator of compromise.","M1047",[],[109,114,119],{"type":110,"value":111,"description":112,"context":113,"confidence":36},"url_pattern","/config.aspx","Access to the configuration page, which should be restricted. Unauthorized access from external IPs is a key indicator of CVE-2026-2699 exploitation.","IIS logs, WAF logs",{"type":115,"value":116,"description":117,"context":118,"confidence":36},"file_path","C:\\inetpub\\wwwroot\\Citrix\\StorageCenter\\","Default web root for ShareFile SZC. Monitor this directory and subdirectories for the creation of unexpected .aspx files (web shells).","File integrity monitoring, EDR",{"type":120,"value":121,"description":122,"context":123,"confidence":36},"process_name","w3wp.exe","The IIS worker process. Monitor for this process spawning child processes like cmd.exe or powershell.exe, which indicates web shell execution.","EDR, Windows Event ID 4688",[125,126,127,30,34,128,129],"Progress ShareFile","RCE","vulnerability chain","authentication bypass","web shell","2026-04-06T15:00:00.000Z","Advisory",{"geographic_scope":133,"countries_affected":134,"industries_affected":137,"other_affected":142},"global",[135,136],"United States","Germany",[138,139,140,141],"Technology","Finance","Healthcare","Legal Services",[143],"Users of on-premise Progress ShareFile","2026-04-06",5,1775683822790]