Two vulnerabilities in Progress ShareFile, an enterprise-grade secure file transfer solution, can be chained to enable unauthenticated file exfiltration from affected environments.
Progress ShareFile is a document sharing and collaboration product typically used by large and mid-sized companies.
Such solutions are an attractive target for ransomware actors, as previously seen in Clop data-theft attacks exploiting bugs in Accellion FTA, SolarWinds Serv-U, Gladinet CentreStack, GoAnywhere MFT, MOVEit Transfer, and Cleo.
Researchers at offensive security company watchTowr discovered an authentication bypass (CVE-2026-2699) and a remote code execution (CVE-2026-2701) in the Storage Zones Controller (SZC) component present in branch 5.x of Progress ShareFile.
SZC gives customers more control over their data by allowing them to store it on their infrastructure (either on-prem or in a third-party cloud provider) or on the Progress systems.
Following watchTowr’s responsible disclosure, the problems have been addressed in Progress ShareFile 5.12.4, released on March 10.
How the attack works
In a report today, watchTowr researchers explain that the attack begins by exploiting the authentication bypass issue, CVE-2026-2699, which gives access to the ShareFile admin interface due to improper handling of HTTP redirects.
Once inside, an attacker can modify Storage Zone configuration settings, including file storage paths and security-sensitive parameters such as the zone passphrase and related secrets.
By exploiting the second flaw, CVE-2026-2701, attackers can obtain remote code execution on the server by abusing file upload and extraction functionality to place malicious ASPX webshells in the application’s webroot.
The researchers note that, for the exploit to work, attackers must generate valid HMAC signatures and extract and decrypt internal secrets. However, these are achievable after exploiting CVE-2026-2699 due to the ability to set or control passphrase-related values.
Source: WatchTowr
Impact and exposure
By watchTowr’s scans, there are about 30,000 Storage Zone Controller instances exposed on the public internet.
The ShadowServer Foundation currently observes 700 internet-exposed instances of Progress ShareFile, most of which are located in the United States and Europe.
watchTowr discovered the two flaws and reported them to Progress between February 6 and 13, and the full exploit chain was confirmed on February 18 for Progress ShareFile 5.12.4. The vendor released security updates in version 5.12.4, released on March 10.
Although no active exploitation in the wild has been observed as of writing, systems running vulnerable versions of ShareFile Storage Zone Controller should be patched immediately, as the public disclosure of the chain is likely to entice threat actors.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
