Multiple Critical Vulnerabilities in Progress ShareFile Enable Remote Code Execution
What Happened — Researchers disclosed two linked flaws (CVE‑2026‑2699, CVE‑2026‑2701) in Progress ShareFile’s Storage Zones Controller. When chained, the authentication‑bypass bug lets an attacker reach the admin console and then abuse the file‑upload/extraction feature to plant a malicious ASPX web‑shell, achieving remote code execution. Public proof‑of‑concept code has been released.
Why It Matters for TPRM —
- ShareFile is a core SaaS file‑sharing service for finance, healthcare, and government, so a compromise can expose highly regulated data across many downstream customers.
- Remote code execution on the vendor’s platform provides a foothold for lateral movement into client environments.
- Unpatched installations may trigger compliance breaches (e.g., HIPAA, PCI‑DSS) and contractual penalties.
Who Is Affected — Financial services, healthcare, government agencies, and any enterprise that uses Progress ShareFile for secure document collaboration (cloud‑based file‑sharing SaaS).
Recommended Actions —
- Identify all ShareFile instances and confirm they run version 5.12.4 or later; apply the vendor patch immediately after testing.
- Reinforce vulnerability‑management processes (NIST CSF Safeguard 7.1/7.2) and schedule regular scans of file‑upload endpoints.
- Deploy web‑application firewalls or runtime monitoring to detect anomalous ASPX web‑shell activity.
Technical Notes —
- Attack vector: chained authentication bypass + file‑upload abuse (initial access → exploit public‑facing application).
- CVE‑2026‑2699: authentication bypass via improper handling of HTTP redirects in the Storage Zones Controller.
- CVE‑2026‑2701: remote code execution by uploading malicious ASPX files that are extracted to the webroot.
- No confirmed exploitation in production environments beyond the released PoC. Source: CIS Advisory 2026‑030