Critical Service Disruption Analysis: Zero-Day Vulnerabilities (CVE-2026-2699 & CVE-2026-2701) Impacting Progress ShareFile Storage Zones Controller v5.x

Critical Service Disruption Analysis: Zero-Day Vulnerabilities (CVE-2026-2699 & CVE-2026-2701) Impacting Progress ShareFile Storage Zones Controller v5.x

Executive Summary

Progress Software has confirmed two critical zero-day vulnerabilities, CVE-2026-2699 and CVE-2026-2701, affecting the ShareFile Storage Zones Controller (SZC) version 5.x. These vulnerabilities, disclosed in July 2026, forced an emergency shutdown of customer-managed Storage Zone Controllers. The flaws allow unauthenticated remote attackers to access configuration pages, potentially resulting in unauthorized system configuration changes and remote code execution. Progress Software has released patched versions and strongly urges all customers to upgrade immediately to mitigate risk.

Technical Information

The vulnerabilities in ShareFile Storage Zones Controller are severe due to their unauthenticated remote attack vector and the potential for full system compromise. CVE-2026-2699 is categorized as an "Execution After Redirect" flaw, while CVE-2026-2701 enables Remote Code Execution (RCE). Both vulnerabilities affect all v5.x versions prior to v5.12.4. The v6.x branch is not impacted.

The technical root cause lies in improper access controls on the configuration interfaces of the SZC. An attacker can remotely access these interfaces without authentication, allowing them to alter system configurations or execute arbitrary code on the underlying server. This could lead to lateral movement within the network, data exfiltration, or deployment of additional malicious payloads.

The attack surface is exposed through public-facing configuration endpoints. If these endpoints are accessible from the internet or untrusted networks, exploitation risk is significantly elevated. The vulnerabilities were discovered following a credible external threat report, prompting Progress Software to instruct customers to immediately shut down affected servers and apply the released patches before restoring operations.

Exploitation in the Wild

As of July 14, 2026, there are no confirmed reports of exploitation in the wild for either CVE-2026-2699 or CVE-2026-2701. Both Progress Software and multiple reputable security news outlets have stated that, while the vulnerabilities are critical and easily exploitable, there is no evidence of customer breaches or data theft linked to these flaws at this time. No public proof-of-concept exploit code has been released, and no threat actors have been observed leveraging these vulnerabilities in active campaigns.

APT Groups using this vulnerability

There are currently no known Advanced Persistent Threat (APT) groups or ransomware gangs publicly linked to exploitation of CVE-2026-2699 or CVE-2026-2701. Threat intelligence sources and MITRE ATT&CK mappings do not list any APT activity associated with these vulnerabilities. The absence of public proof-of-concept code and the rapid vendor response have likely limited the window of opportunity for threat actors.

Affected Product Versions

The vulnerabilities impact all versions of ShareFile Storage Zones Controller v5.x prior to v5.12.4. This includes versions v5.0, v5.1, v5.2, v5.3, v5.4, v5.5, v5.6, v5.7, v5.8, v5.9, v5.10, v5.11, v5.12, v5.12.1, v5.12.2, and v5.12.3. All v6.x versions are not affected by these vulnerabilities.

Workaround and Mitigation

Progress Software has released v5.12.4 for the v5.x branch, which remediates both vulnerabilities. Customers are instructed to immediately upgrade to v5.12.4 or migrate to any v6.x version, which is not impacted. Affected servers should remain offline until the patch is applied. In addition to patching, organizations should restrict access to management interfaces to trusted networks, monitor logs for suspicious activity related to configuration page access or unauthorized changes, and subscribe to vendor security bulletins for ongoing updates.

Indicators of Compromise

The following caveat applies: Indicators of Compromise (IOCs) are point-in-time and should be validated before enforcement. As of July 14, 2026, no public indicators of compromise have been released by Progress Software or third-party researchers. Customers are advised to monitor for unusual access to configuration pages, unexpected changes in system configuration, and unexplained remote code execution or new processes on SZC servers.

References

Official Vendor Advisory: Security Vulnerability Fix For ShareFile Storage Zones Controller 5.x (February 2026)

NVD Entries: CVE-2026-2699 - NVD CVE-2026-2701 - NVD

News Coverage: BleepingComputer: Progress confirms ShareFile zero-day flaw behind Storage Zone shutdown The Hacker News: URGENT - Progress Tells ShareFile Customers to Shut Down Storage HelpNetSecurity: Security threat prompts Progress to disable ShareFile accounts, tell customers to shut down servers

Community Discussion: Reddit /r/sysadmin: PSA: Shutdown your Sharefile Storage Zone Controllers NOW

Rescana is here for you

Rescana empowers organizations to manage third-party risk and supply chain security with our advanced TPRM platform. Our solution provides continuous monitoring, automated risk assessments, and actionable intelligence to help you stay ahead of emerging threats. We are committed to supporting your cybersecurity resilience and are happy to answer any questions at info@rescana.com.