Critical Progress ShareFile Flaws Let Attackers Hijack Servers Remotely
Key Takeaways A critical attack chain in Progress ShareFile Storage Zones Controller 5.x allows unauthenticated remote server hijacking. Two vulnerabilities, CVE-2026-2699 (CVSS 9.8) and...
Key Takeaways
- A critical attack chain in Progress ShareFile Storage Zones Controller 5.x allows unauthenticated remote server hijacking.
- Two vulnerabilities, CVE-2026-2699 (CVSS 9.8) and CVE-2026-2701 (CVSS 9.1), enable authentication bypass and remote code execution.
- Approximately 30,000 internet-facing instances of the affected software are estimated to exist, making them prime targets.
- Progress released patches on April 2, 2026, with fixes available in version 5.12.4 and all 6.x releases.
Progress ShareFile Vulnerabilities Expose On-Premises Servers to Remote Hijacking
A severe vulnerability chain has been discovered in Progress ShareFile, enabling threat actors to gain complete control over exposed on-premises servers without requiring any prior authentication. This critical flaw affects customer-managed ShareFile Storage Zones Controller 5.x deployments.
Table Of Content
Progress has urged affected organizations to upgrade their systems immediately to version 5.12.4 or migrate to any 6.x release, as these versions are not impacted by the security issues.
Technical Breakdown of the Attack Chain
According to analyses by both Progress and WatchTower, the exploit leverages two distinct vulnerabilities. The first, an authentication bypass, exposes restricted configuration pages to unauthenticated users. The second vulnerability then facilitates remote code execution through the upload and execution of malicious files.
RunZero has classified both identified flaws as critical: CVE-2026-2699, with a CVSS score of 9.8, and CVE-2026-2701, rated at 9.1.
The attack specifically targets the ShareFile Storage Zones Controller, an on-premises component that allows organizations to store files within their own infrastructure while still utilizing ShareFile’s cloud-based management interface. This architecture is frequently adopted by enterprises with stringent compliance, data sovereignty, or internal security mandates. WatchTower estimates that approximately 30,000 such Storage Zone Controller instances are currently accessible via the internet.
These servers are particularly attractive targets for ransomware groups and other malicious actors due to their position at the periphery of critical file-sharing workflows.
Deep Dive into the Vulnerabilities
WatchTowr researchers identified that the authentication bypass, CVE-2026-2699, stems from an “Execution After Redirect” condition on the Admin.aspx configuration page. Essentially, the application sends an HTTP 302 redirect to the login page, but the underlying page logic continues to execute. This allows an unauthenticated user to access administrative functionality that should be restricted. The researchers attributed this behavior to an improper implementation of the redirect function, which fails to halt execution as intended.
Once an attacker bypasses authentication and gains access to the administrative interface, they can modify critical zone settings, including storage paths and passphrase-related values. This access is compounded by the second vulnerability, CVE-2026-2701, which permits the upload and extraction of a malicious archive into a server-controlled path, including web-accessible directories.
In a proof-of-concept demonstration, this exploit chain enabled the placement of an ASPX webshell directly into the ShareFile webroot, facilitating remote code execution on the server.
Progress has stated that it has not received any reports of active exploitation of these vulnerabilities to date. However, the vendor categorized the issues as critical and released patches on April 2, 2026. WatchTower’s timeline indicates that the bugs were privately disclosed in February, replicated by Progress mid-February, and fixed in ShareFile Storage Zones Controller 5.12.4 on March 10, ahead of public disclosure in April.
What You Should Do
- Identify Affected Systems: Immediately locate any exposed ShareFile Storage Zones Controller 5.x deployments within your environment.
- Patch Immediately: Upgrade all vulnerable systems to ShareFile Storage Zones Controller version 5.12.4 or migrate to any 6.x release.
- Review for Compromise: Conduct a thorough review of patched systems for any suspicious configuration changes, unauthorized administrative access, or unexpected files, particularly in web-facing directories.
- Monitor Network Traffic: Implement enhanced monitoring for unusual network activity originating from or directed towards your ShareFile Storage Zones Controllers.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.