New Progress ShareFile flaws can be chained in pre-auth RCE attacks
Two chained Progress ShareFile flaws enable unauthenticated RCE and file exfiltration.
Summary
Researchers at watchTowr discovered two vulnerabilities in Progress ShareFile's Storage Zones Controller (SZC) component that can be chained to achieve pre-authentication remote code execution and data theft. An authentication bypass (CVE-2026-2699) allows attackers to access admin settings and extract secrets, which they then use to exploit a file upload flaw (CVE-2026-2701) to deploy ASPX webshells. Progress released patches in version 5.12.4 on March 10, 2026, but approximately 30,000 SZC instances remain exposed on the public internet, making immediate patching critical.
Full text
New Progress ShareFile flaws can be chained in pre-auth RCE attacks By Bill Toulas April 2, 2026 09:33 AM 0 Two vulnerabilities in Progress ShareFile, an enterprise-grade secure file transfer solution, can be chained to enable unauthenticated file exfiltration from affected environments. Progress ShareFile is a document sharing and collaboration product typically used by large and mid-sized companies. Such solutions are an attractive target for ransomware actors, as previously seen in Clop data-theft attacks exploiting bugs in Accellion FTA, SolarWinds Serv-U, Gladinet CentreStack, GoAnywhere MFT, MOVEit Transfer, and Cleo. Researchers at offensive security company watchTowr discovered an authentication bypass (CVE-2026-2699) and a remote code execution (CVE-2026-2701) in the Storage Zones Controller (SZC) component present in branch 5.x of Progress ShareFile. SZC gives customers more control over their data by allowing them to store it on their infrastructure (either on-prem or in a third-party cloud provider) or on the Progress systems. Following watchTowr's responsible disclosure, the problems have been addressed in Progress ShareFile 5.12.4, released on March 10. How the attack works In a report today, watchTowr researchers explain that the attack begins by exploiting the authentication bypass issue, CVE-2026-2699, which gives access to the ShareFile admin interface due to improper handling of HTTP redirects. Once inside, an attacker can modify Storage Zone configuration settings, including file storage paths and security-sensitive parameters such as the zone passphrase and related secrets. By exploiting the second flaw, CVE-2026-2701, attackers can obtain remote code execution on the server by abusing file upload and extraction functionality to place malicious ASPX webshells in the application’s webroot. The researchers note that, for the exploit to work, attackers must generate valid HMAC signatures and extract and decrypt internal secrets. However, these are achievable after exploiting CVE-2026-2699 due to the ability to set or control passphrase-related values. Overview of the exploit chainSource: WatchTowr Impact and exposure By watchTowr's scans, there are about 30,000 Storage Zone Controller instances exposed on the public internet. The ShadowServer Foundation currently observes 700 internet-exposed instances of Progress ShareFile, most of which are located in the United States and Europe. watchTowr discovered the two flaws and reported them to Progress between February 6 and 13, and the full exploit chain was confirmed on February 18 for Progress ShareFile 5.12.4. The vendor released security updates in version 5.12.4, released on March 10. Although no active exploitation in the wild has been observed as of writing, systems running vulnerable versions of ShareFile Storage Zone Controller should be patched immediately, as the public disclosure of the chain is likely to entice threat actors. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: GIGABYTE Control Center vulnerable to arbitrary file write flawCritical Fortinet Forticlient EMS flaw now exploited in attacksCISA: New Langflow flaw actively exploited to hijack AI workflowsPTC warns of imminent threat from critical Windchill, FlexPLM RCE bugVeeam warns of critical flaws exposing backup servers to RCE attacks
Indicators of Compromise
- cve — CVE-2026-2699
- cve — CVE-2026-2701