Back

Critical Vulnerabilities in Progress ShareFile Enable Unauthenticated File Exfiltration

Severity: High (Score: 72.0)

Sources: Cybersecuritydive, Digital.Nhs.Uk, Scworld, Gbhackers, Bleepingcomputer

Published: 2026-04-03 · Updated: 2026-04-07

Keywords: progress, sharefile, vulnerabilities, chained, multiple, allow, remote

Severity indicators: vulnerabilities, remote code execution, ot

Summary

Two critical vulnerabilities, CVE-2026-2699 and CVE-2026-2701, have been identified in Progress ShareFile's Storage Zones Controller, allowing unauthenticated attackers to perform remote code execution and potentially exfiltrate files. The vulnerabilities can be chained, starting with an authentication bypass that grants access to the admin interface, followed by remote code execution through file upload functionality. Approximately 30,000 instances of Progress ShareFile are exposed on the internet, with around 700 identified by the ShadowServer Foundation. Progress has released a patch in version 5.12.4 on March 10, 2026, addressing these vulnerabilities. No active exploitation has been reported yet, but the public disclosure raises concerns about potential attacks. Organizations using affected versions are urged to apply the patch immediately to mitigate risks. Key Points: • Two critical vulnerabilities in Progress ShareFile allow unauthenticated file exfiltration. • Approximately 30,000 instances of ShareFile are exposed to the public internet. • Organizations are urged to patch immediately following the release of version 5.12.4.

Detailed Analysis

**Impact** Approximately 30,000 instances of Progress ShareFile Storage Zone Controller (SZC) are exposed to the public internet, with around 700 confirmed by ShadowServer Foundation, primarily in the United States and Europe. Affected organizations include large and mid-sized companies across sectors such as finance and healthcare that rely on ShareFile for secure document sharing and compliance. Exploitation could lead to unauthorized file exfiltration, remote code execution, and full server compromise, risking sensitive data breaches and potential ransomware attacks. **Technical Details** The attack chain exploits two vulnerabilities: an authentication bypass (CVE-2026-2699) allowing unauthenticated access to the ShareFile admin interface, and a remote code execution flaw (CVE-2026-2701) via file upload functionality to deploy malicious ASPX webshells. Attackers manipulate Storage Zone configurations, including file paths and security parameters, and generate valid HMAC signatures by extracting internal secrets. The kill chain stages include initial access (TA0001) and exploitation of public-facing applications (T1190). Public proof-of-concept code is available, but no active exploitation has been reported. **Recommended Response** Organizations must immediately apply the Progress ShareFile 5.12.4 update released on March 10, 2026, which addresses both vulnerabilities. Defenders should monitor for unauthorized access to the admin interface, anomalous changes to Storage Zone configurations, and presence of webshells in the application webroot. Network defenses should block suspicious HMAC signature generation attempts and file uploads. Continuous exposure scanning and incident response readiness are advised given the public disclosure and potential for exploitation.

Source articles (7)

  • New Progress ShareFile flaws can be chained in pre — Bleepingcomputer · 2026-04-02
    Two vulnerabilities in Progress ShareFile, an enterprise-grade secure file transfer solution, can be chained to enable unauthenticated file exfiltration from affected environments. Progress ShareFile…
  • Multiple Vulnerabilities in Progress ShareFile Could Allow for Remote Code Execution — Cisecurity · 2026-04-02
    Multiple vulnerabilities have been discovered in Progress ShareFile, which when chained together, could allow for remote code execution. Progress ShareFile is a secure, cloud-based content collaborati…
  • New Progress ShareFile Flaws Expose Servers to Unauthorized Remote Takeover — Gbhackers · 2026-04-03
    Security researchers at watchTowr Labs have disclosed a critical exploit chain in the Progress ShareFile Storage Zone Controller. The vulnerabilities, tracked as CVE-2026-2699 and CVE-2026-2701, enabl…
  • Progress ShareFile vulnerabilities allow unauthenticated file exfiltration | brief — Scworld · 2026-04-03
    As outlined in Bleeping Computer, two critical vulnerabilities in Progress ShareFile, an enterprise file transfer solution, have been discovered that can be chained together to allow unauthenticated f…
  • Researchers warn of critical flaws in Progress ShareFile — Cybersecuritydive · 2026-04-03
    Attackers could chain vulnerabilities together, leading to configuration changes or remote code execution. Security researchers warn that chaining two critical vulnerabilities in Progress Software’s S…
  • Researchers warn of critical flaws in Progress ShareFile — Tech.Yahoo · 2026-04-03
    Security researchers warn that chaining two critical vulnerabilities in Progress Software’s ShareFile service could allow an attacker to achieve remote code execution. The flaws exist in ShareFile Sto…
  • CC-4767 - Progress Releases Security Updates for ShareFile Storage Zones Controller (SZC) — Digital.Nhs.Uk · 2026-04-07
    Successful exploitation could allow an unauthenticated remote attacker to access on-prem storage zones controller’s configuration pages, potentially leading to changes in system configuration and remo…

Timeline

  • 2026-02-06 — Vulnerabilities reported to Progress by watchTowr
  • 2026-02-18 — Full exploit chain confirmed for Progress ShareFile 5.12.4
  • 2026-03-10 — Patch released in Progress ShareFile version 5.12.4
  • 2026-04-02 — CVE-2026-2699 and CVE-2026-2701 published
  • 2026-04-03 — Articles published detailing vulnerabilities and risks

CVEs

  • CVE-2026-2699
  • CVE-2026-2701

Related entities

  • Data Breach (Attack Type)
  • Remote Code Execution (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Progress Software (Company)
  • Germany (Country)
  • United States (Country)
  • Government (Industry)
  • Healthcare (Industry)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1203 - Exploitation for Client Execution (Mitre Attack)
  • T1505.003 - Web Shell (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Cleo (Vulnerability)
  • Moveit (Vulnerability)
  • Cleo File-transfer Software (Platform)
  • MOVEit File Transfer Software (Platform)
  • Progress ShareFile (Platform)
  • Progress ShareFile Storage Zone Controller (Platform)
  • ShareFile (Platform)
  • ShareFile Storage Zones Controller (Platform)
  • Storage Zone Controller (Platform)
  • Clop (Ransomware Group)
  • Clop Ransomware Group (Ransomware Group)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed