Critical ShareFile Vulnerabilities Allow Full RCE Without a Password — Patch Now
Introduction
Two chained vulnerabilities in Progress ShareFile's Storage Zones Controller allow an unauthenticated attacker to go from zero access to full remote code execution on the server — no credentials needed. With around 700 instances exposed directly on the internet, and a public exploit chain now available, this needs to be patched immediately.
What Happened
Security researchers at watchTowr discovered two critical flaws in the Storage Zones Controller (SZC) component of Progress ShareFile v5.x:
-
CVE-2026-2699 (CVSS 9.8): An authentication bypass caused by improper handling of HTTP redirects. This allows an unauthenticated attacker to reach the ShareFile admin interface — the control panel for storage zone configuration, file paths, passphrases, and secrets.
-
CVE-2026-2701: A remote code execution flaw triggered by abusing the file upload and extraction functionality. An attacker who has gained admin access via the bypass can upload malicious ASPX webshells directly into the application's webroot, giving them full code execution on the server.
The attack chain works like this: exploit CVE-2026-2699 to bypass authentication → access the admin panel → read or set the zone passphrase → generate valid HMAC signatures → exploit CVE-2026-2701 to upload a webshell → own the server. watchTowr confirmed the full chain on February 18 and responsibly disclosed it to Progress. Patches were released in ShareFile 5.12.4 on March 10.
No active exploitation has been confirmed at the time of writing, but with the full exploit chain now publicly detailed by watchTowr, threat actors will move fast. This is exactly the type of vulnerability Clop ransomware has historically jumped on — they previously exploited similar flaws in GoAnywhere MFT, MOVEit Transfer, Cleo, and Accellion FTA.
Why It Matters
ShareFile is used by large and mid-sized enterprises to handle sensitive file transfers — legal documents, financial records, client data. A pre-auth RCE on a file transfer platform is about as bad as it gets. Combined with Clop's history of targeting exactly these products, the risk of mass exploitation for data theft and extortion is real and imminent.
Around 30,000 Storage Zone Controller instances are visible on the public internet according to watchTowr scans, and ShadowServer currently tracks 700 directly exposed — predominantly in the US and Europe.
Who Is Affected
Organizations running Progress ShareFile Storage Zones Controller v5.x on-premises or in customer-managed cloud environments. ShareFile's cloud-managed zones are not affected — only self-hosted SZC deployments on branch 5.x prior to version 5.12.4.
How to Protect Yourself
- Patch immediately: upgrade to ShareFile Storage Zones Controller 5.12.4 or later — this is the only complete fix
- Confirm your version: log into the Storage Zone Controller admin interface and verify the installed version before assuming you're safe
- Take the admin interface offline: if you cannot patch immediately, block public access to the SZC admin panel at the firewall or load balancer level as a temporary mitigation
- Check for webshells: search your ShareFile webroot for unexpected
.aspxfiles — particularly recently created ones — as indicators of compromisefind /path/to/sharefile/webroot -name "*.aspx" -newer /path/to/sharefile/webroot/known-file.aspx - Review access logs: look for unexpected POST requests to admin configuration endpoints, unusual file upload activity, and HTTP redirect chains in your IIS or web server logs
- Restrict network exposure: place your SZC behind a VPN or restrict access to corporate IP ranges — there is no reason for the admin interface to be publicly reachable
- Monitor for webshell activity: set up alerts for unusual process spawning from IIS worker processes (w3wp.exe) — a classic indicator of webshell execution
- Back up and isolate: if you suspect compromise, isolate the server, preserve logs, and rotate any credentials the ShareFile instance had access to