Critical CVE-2026-2699 and CVE-2026-2701 Vulnerabilities Force Immediate Shutdown of Progress ShareFile Storage Zone Controller v5.x

Critical CVE-2026-2699 and CVE-2026-2701 Vulnerabilities Force Immediate Shutdown of Progress ShareFile Storage Zone Controller v5.x

Executive Summary

On July 10, 2026, Progress Software issued an urgent directive to all ShareFile customers to immediately shut down their Storage Zone Controllers (SZC) due to a credible external security threat. This unprecedented action follows the discovery of two critical vulnerabilities, CVE-2026-2699 and CVE-2026-2701, affecting on-premises deployments of ShareFile Storage Zones Controller version 5.x. These vulnerabilities enable unauthenticated remote attackers to access configuration pages and potentially achieve remote code execution, posing a severe risk of system compromise. No patch is currently available, and all on-prem SZC v5.x deployments are at risk. Cloud-only ShareFile accounts are not affected. As of this report, there is no confirmation of exploitation in the wild, but the risk is considered critical.

Technical Information

The vulnerabilities at the core of this advisory are CVE-2026-2699 (Execution After Redirect) and CVE-2026-2701 (Remote Code Execution). Both affect the ShareFile Storage Zones Controller v5.x, a component typically deployed at the network edge and often internet-accessible, making it a high-value target for adversaries.

CVE-2026-2699 allows unauthenticated attackers to access configuration pages after a redirect, effectively bypassing authentication controls. This flaw exposes sensitive configuration interfaces to the internet, enabling attackers to manipulate system settings without valid credentials.

CVE-2026-2701 enables unauthenticated remote code execution via manipulation of configuration endpoints. By exploiting this vulnerability, an attacker can execute arbitrary code on the SZC server, potentially gaining full control over the system and facilitating lateral movement within the network.

The attack surface is significant due to the typical deployment of SZC at the network perimeter. The potential impact includes unauthorized access to configuration, system reconfiguration, full remote code execution, and the possibility of attackers leveraging compromised SZC servers to pivot deeper into the organization’s infrastructure.

Historical context is important: in 2023, a similar unauthenticated RCE (CVE-2023-24489) was actively exploited by threat actors, including ransomware groups. The MOVEit zero-day (2023) was also exploited by the Clop ransomware group, affecting thousands of organizations. These precedents underscore the attractiveness of file transfer and storage solutions as targets for both financially motivated and state-sponsored actors.

Relevant MITRE ATT&CK techniques include T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts, if credentials are stolen post-exploitation), and T1059 (Command and Scripting Interpreter, for RCE).

Exploitation in the Wild

As of July 10, 2026, there is no confirmed exploitation in the wild for CVE-2026-2699 or CVE-2026-2701 according to Progress Software and public advisories. Neither CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and thus there is no CISA-confirmed active exploitation. However, the urgency of the shutdown order and the criticality of the vulnerabilities suggest that exploitation attempts are likely under active investigation. Community reports, including those on Reddit’s r/sysadmin, confirm widespread shutdowns and concern over possible compromise.

APT Groups using this vulnerability

No specific Advanced Persistent Threat (APT) or ransomware group attribution has been made for these vulnerabilities as of this report. However, based on historical exploitation patterns—such as the Clop ransomware group’s attacks on MOVEit and previous ShareFile vulnerabilities—it is highly probable that ransomware operators and APTs targeting file transfer and storage solutions will attempt to exploit these flaws. Organizations should remain vigilant for activity from groups known to target similar platforms.

Affected Product Versions

The affected product versions are all on-premises deployments of ShareFile Storage Zones Controller v5.x prior to v5.12.4. Versions v5.12.4 and all v6.x releases are not vulnerable to these specific issues. Cloud-only ShareFile accounts are not impacted by these vulnerabilities.

Workaround and Mitigation

The only current mitigation is to immediately shut down all on-premises Storage Zone Controllers. Do not bring SZC servers back online until Progress Software provides further guidance or a patch. Organizations should preserve forensic evidence and begin incident response procedures if their SZC was internet-exposed. Once a patch or clearance is announced, upgrade to v5.12.4 or any v6.x version. Official vendor guidance and status updates are available at the Progress Security Advisory and Progress Status Page.

Indicators of Compromise

As of this report, no public indicators of compromise (IOCs) have been published for CVE-2026-2699 or CVE-2026-2701. Organizations are advised to monitor for unfamiliar .aspx files in web directories, unexpected changes in configuration files, unusual outbound connections from SZC servers, and suspicious logins or access attempts in SZC logs. All indicators are point-in-time and should be validated before enforcement.

References

Progress Security Advisory, The Hacker News, Reddit: r/sysadmin, MITRE ATT&CK TTPs

Rescana is here for you

Rescana provides a comprehensive Third-Party Risk Management (TPRM) platform, empowering organizations to continuously monitor, assess, and mitigate cyber risks across their vendor ecosystem. Our platform delivers actionable intelligence and automated workflows to help you stay ahead of emerging threats. We are happy to answer questions at info@rescana.com.