Pre‑Auth RCE Chain Discovered in Progress ShareFile Storage Zones Controller (CVE‑2026‑2699 & CVE‑2026‑2701) Exposes 30K Instances
What Happened — Researchers at watchTowr identified two linked vulnerabilities in Progress ShareFile’s Storage Zones Controller (SZC): an authentication‑bypass (CVE‑2026‑2699) and a remote‑code‑execution flaw (CVE‑2026‑2701). When chained, an unauthenticated attacker can gain admin‑level access, modify storage‑zone settings, and upload malicious ASPX web‑shells to execute code and exfiltrate files.
Why It Matters for TPRM —
- Pre‑auth RCE enables attackers to compromise a trusted file‑transfer vendor, potentially impacting all downstream customers.
- Over 30 000 SZC instances are publicly reachable, increasing the attack surface for supply‑chain ransomware.
- The flaws affect on‑prem and cloud‑hosted deployments, threatening data confidentiality and business continuity.
Who Is Affected — Enterprises that use Progress ShareFile for secure file transfer, especially those hosting Storage Zones on‑premises or in third‑party clouds (technology/SaaS, cloud‑hosted services).
Recommended Actions —
- Verify that all ShareFile SZC instances run version 5.12.4 or later.
- Conduct an inventory of exposed SZC endpoints and restrict internet access via firewalls or VPNs.
- Review and harden admin‑interface authentication and HMAC secret management.
- Monitor logs for unexpected admin‑panel activity and file‑upload anomalies.
Technical Notes — The attack chain starts with CVE‑2026‑2699 (authentication bypass via improper HTTP‑redirect handling) and proceeds to CVE‑2026‑2701 (RCE via malicious ASPX web‑shell upload). Exploitation requires generating valid HMAC signatures, which becomes possible after the bypass. No wild‑exploitation has been observed, but the public disclosure makes the chain viable. Source: BleepingComputer