ctipilot.ch

Progress ShareFile Storage Zone Controller — storage-repository web-shell RCE chained from CVE-2026-2699

cve · CVE-2026-2701

Coverage timeline
1
first 2026-07-13 → last 2026-07-13
Peak priority
high
1 high
Sources cited
5
5 hosts
Sections touched
1
active-threats
Co-occurring entities
2
see Related entities below
ATT&CK techniques
2
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
Progress ShareFile Storage Zone Controller

ATT&CK techniques

2 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-13/progress-sharefile-storage-zone-controller-shutdown · ATT&CK page ↗

Persistence TA0003

T1505.003Server Software Component: Web Shell×1

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

Evidence: 2026-07-13/progress-sharefile-storage-zone-controller-shutdown · ATT&CK page ↗

Story timeline

  1. 2026-07-13Progress orders ShareFile Storage Zone Controller shutdown over a 'credible external threat' — day three, no patch or root cause disclosed
    active-threatsProgress tells all on-prem ShareFile Storage Zone Controller customers to power off their servers over an undisclosed 'credible external security threat'

Where this entity is cited

  • active-threats1

Source distribution

  • bleepingcomputer.com1 (20%)
  • heise.de1 (20%)
  • labs.watchtowr.com1 (20%)
  • securityweek.com1 (20%)
  • status.sharefile.com1 (20%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Progress ShareFile Storage Zone Controller — storage-repository web-shell RCE chained from CVE-2026-2699 (1)

2026-07-13 · view entry permalink →

Progress orders ShareFile Storage Zone Controller shutdown over a 'credible external threat' — day three, no patch or root cause disclosed

Progress Software has told every customer running an on-premises ShareFile Storage Zone Controller (SZC) — the self-hosted IIS component that lets ShareFile's SaaS front end store files on customer-controlled storage (local filesystem, SMB, SharePoint, S3/Azure) rather than in Progress's cloud — to manually power off the Windows server hosting it, citing "a credible external security threat" first notified to customers on 2026-07-10 (BleepingComputer, 2026-07-10). Three days on, the vendor status page still lists the Storage Zone Controller service as not operational and under investigation (Progress ShareFile status, 2026-07-13), and Progress has disclosed neither a CVE, a root cause, nor a patch or safe-restart timeline; the mitigation on offer is a full shutdown rather than an update, with no fix published as of this run (heise online, 2026-07-13; SecurityWeek, 2026-07-13). heise characterises the shutdown as a precautionary measure during an ongoing investigation. Progress states it has no indication of unauthorized access to any ShareFile account or data so far. Only on-premises SZC deployments are affected; cloud-only ShareFile tenants are not.

This sits on top of a chainable pre-auth RCE that watchTowr Labs disclosed in the same component in April 2026: CVE-2026-2699 (CVSS 9.8) is a CWE-698 execution-after-redirect authentication bypass in /ConfigService/Admin.aspx, where Response.Redirect() is called with the terminate flag set to false, so the admin page body still renders and executes after the browser is told to redirect to login; CVE-2026-2701 (CVSS 9.1) chains from that access, because the storage-location validation only checks writability, letting an attacker repoint the storage repository at the IIS web root and land an ASPX web shell (watchTowr Labs, 2026-04-02). Both were fixed in Storage Zone Controller 5.12.4 (the 6.x .NET-Core branch was unaffected); watchTowr counted roughly 30,000 internet-facing SZC instances at disclosure. Progress has not said whether the current threat relates to this chain or to a separate issue.

Defender takeaway. This is the same on-prem, internet-facing, managed-file-transfer-adjacent architecture class (ShareFile, MOVEit, GoAnywhere, Cleo) that has repeatedly produced mass pre-auth exploitation, and a vendor ordering customers to pull the plug rather than patch is a strong signal to treat any exposed SZC as untrusted until Progress publishes scope. Regardless of whether the July threat proves related to CVE-2026-2699/2701, any instance still on SZC 5.x below 5.12.4 carries a known, PoC-backed pre-auth RCE and should be upgraded or taken offline now. Since Progress has confirmed no mechanism, treat the CWE-698 chain as the working hunt hypothesis.

Triage: an authenticated administrator legitimately hits /ConfigService/Admin.aspx and receives a normal authenticated session; the anomaly for the known chain is a request to that path that returns a 302 whose response body nonetheless carries the full admin-panel HTML (the execution-after-redirect behaviour) rather than the redirect being honoured, followed by configuration changes to Zone/Primary-Zone-Controller/storage-repository fields outside a change window — and, downstream, an .aspx file appearing under a StorageCenter webroot subdirectory that is not part of the vendor's shipped file set.

We have reason to believe there is a credible external security threat targeting Progress Software's ShareFile Storage Zone Controllers.

Currently, we have no indication of unauthorized access to any Progress ShareFile accounts or data.

Progress Software (via BleepingComputer)

ShareFile customers with Storage Zone Controllers are not operational at this time.

Progress ShareFile (vendor status page) 2026-07-13
incident13 Jul 12:45Zmulti-sourceOpen finding ↗