Critical Vulnerabilities in Progress ShareFile Prompt Urgent Shutdown

Critical Vulnerabilities in Progress ShareFile Prompt Urgent Shutdown

First seen 13 Jul 2026, 19:28 UTC Rescananvd.nist.gov 80% similarity 68.0

Article Content

Browse articles
ThreatCluster

On July 10, 2026, Progress Software issued an urgent directive for all ShareFile customers to shut down their Storage Zone Controllers (SZC) due to critical vulnerabilities CVE-2026-2699 and CVE-2026-2701. These flaws allow unauthenticated attackers to access configuration pages and potentially execute remote code, posing severe risks to on-premises deployments of ShareFile SZC version 5.x. No patch is available, and while there is no confirmed exploitation in the wild, the vulnerabilities are considered critical. The vulnerabilities are particularly concerning due to the historical context of similar attacks on file transfer solutions. Relevant MITRE ATT&CK techniques include T1190, T1078, and T1059. Cloud-only ShareFile accounts remain unaffected by this threat.

Key Points: • Progress Software warns of critical vulnerabilities in ShareFile SZC requiring immediate shutdown. • CVE-2026-2699 and CVE-2026-2701 allow unauthenticated access and potential remote code execution. • No patches are available, and cloud-only ShareFile accounts are not impacted.

ThreatCluster AI

Timeline

2023-07-10
CVE-2023-24489 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-04-02
CVE-2026-2699 and CVE-2026-2701 published
Progress Software disclosed two critical vulnerabilities affecting ShareFile SZC v5.x.
Rescana
2026-04-08
First public PoC for CVE-2026-2699
A proof of concept for CVE-2026-2699 was made publicly available, highlighting the vulnerability.
Rescana
2026-07-10
Urgent directive issued to shut down SZC
Progress Software advised all ShareFile customers to immediately shut down their SZC due to critical vulnerabilities.
Rescana
Recent
No confirmed exploitation reported
As of July 10, 2026, there is no confirmed exploitation of CVE-2026-2699 or CVE-2026-2701 in the wild.
Rescana

Community

Browse all →