Critical ShareFile Flaws Lead to Unauthenticated RCE

Summary

WatchTowr discovered two critical vulnerabilities in Citrix ShareFile that can be chained together to achieve unauthenticated remote code execution. CVE-2026-2699 (CVSS 9.8) is an Execution After Redirect flaw allowing access to restricted admin pages, while CVE-2026-2701 (CVSS 9.1) permits arbitrary file upload. By exploiting both flaws, attackers can bypass authentication, configure malicious storage zones, upload web shells, and gain full RCE on affected instances.

Full text

Two critical-severity vulnerabilities in the ShareFile content collaboration and file-sharing platform could be chained together for unauthenticated remote code execution (RCE), attack surface management firm WatchTowr warns. One of the bugs, tracked as CVE-2026-2699 (CVSS score of 9.8), allows unauthenticated attackers to access configuration pages that should be restricted. According to WatchTowr, the flaw is an Execution After Redirect (EAR) issue that was uncovered when attempting to access an administrative endpoint through the browser. While the browser did redirect to a login page that could only be accessed from the local host, thus resulting in an error, the header contained more information than normal. By modifying the HTTP response and dropping the Location header, the cybersecurity firm obtained access to an admin page for Storage Zone configurations. This allowed the company to configure a Zone to connect to a local network, modify various Zone parameters, including the current ShareFile passphrase, and force a victim Storage Zone Controller to join a malicious Zone, without authentication.Advertisement. Scroll to continue reading. “We could change the victim’s Storage Repository to point to an AWS S3 Bucket we control, meaning that when files are synced or uploaded to the instance, they’re sent to a repository we can control, effectively exfiltrating sensitive files,” WatchTowr notes. By connecting a victim Controller to their Zone, an attacker gains administrative access to that file storage solution and can abuse built-in functionality to upload files to arbitrary locations. “Products like this typically allow you to specify the file storage location. We could just reconfigure ShareFile to store uploaded files in a potentially dangerous location, such as the application’s webroot directory,” the cybersecurity firm notes. Digging through the application’s file upload functionality, WatchTowr discovered CVE-2026-2701 (CVSS score of 9.1), an arbitrary file upload issue it could exploit to drop a web shell and achieve RCE. Next, the cybersecurity firm managed to chain the two vulnerabilities to achieve unauthenticated RCE on a vulnerable ShareFile instance. Both issues were reported to ShareFile in early February and were addressed in version 5.12.4 of the application. ShareFile versions 6.x are not affected. Related: Critical Vulnerability in Claude Code Emerges Days After Source Leak Related: Exploitation of Fresh Citrix NetScaler Vulnerability Begins Related: Exploitation of Critical Fortinet FortiClient EMS Flaw Begins Related: CISA Flags Critical PTC Vulnerability That Had German Police Mobilized Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Cisco Patches Critical and High-Severity Vulnerabilities250,000 Affected by Data Breach at Nacogdoches Memorial HospitalMercor Hit by LiteLLM Supply Chain AttackSophisticated CrystalX RAT EmergesLinx Security Raises $50 Million for Identity Security and GovernanceDepthfirst Raises $80 Million in Series B FundingNew DeepLoad Malware Dropped in ClickFix AttacksUS Charges Uranium Crypto Exchange Hacker Latest News TrueConf Zero-Day Exploited in Asian Government AttacksIn Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by RansomwareMobile Attack Surface Expands as Enterprises Lose ControlReact2Shell Exploited in Large-Scale Credential Harvesting CampaignT-Mobile Sets the Record Straight on Latest Data Breach FilingNorth Korean Hackers Drain $285 Million From Drift in 10 SecondsCritical Vulnerability in Claude Code Emerges Days After Source LeakApple Rolls Out DarkSword Exploit Protection to More Devices Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveScott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea.Kai has named Nick Degnan as Chief Revenue Officer.Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-2699
• cve — CVE-2026-2701

Entities