Progress orders ShareFile Storage Zone Controller shutdown over a 'credible external threat' — day three, no patch or root cause disclosed
Progress Software has told every customer running an on-premises ShareFile Storage Zone Controller (SZC) — the self-hosted IIS component that lets ShareFile's SaaS front end store files on customer-controlled storage (local filesystem, SMB, SharePoint, S3/Azure) rather than in Progress's cloud — to manually power off the Windows server hosting it, citing "a credible external security threat" first notified to customers on 2026-07-10 (BleepingComputer, 2026-07-10). Three days on, the vendor status page still lists the Storage Zone Controller service as not operational and under investigation (Progress ShareFile status, 2026-07-13), and Progress has disclosed neither a CVE, a root cause, nor a patch or safe-restart timeline; the mitigation on offer is a full shutdown rather than an update, with no fix published as of this run (heise online, 2026-07-13; SecurityWeek, 2026-07-13). heise characterises the shutdown as a precautionary measure during an ongoing investigation. Progress states it has no indication of unauthorized access to any ShareFile account or data so far. Only on-premises SZC deployments are affected; cloud-only ShareFile tenants are not.
This sits on top of a chainable pre-auth RCE that watchTowr Labs disclosed in the same component in April 2026: CVE-2026-2699 (CVSS 9.8) is a CWE-698 execution-after-redirect authentication bypass in /ConfigService/Admin.aspx, where Response.Redirect() is called with the terminate flag set to false, so the admin page body still renders and executes after the browser is told to redirect to login; CVE-2026-2701 (CVSS 9.1) chains from that access, because the storage-location validation only checks writability, letting an attacker repoint the storage repository at the IIS web root and land an ASPX web shell (watchTowr Labs, 2026-04-02). Both were fixed in Storage Zone Controller 5.12.4 (the 6.x .NET-Core branch was unaffected); watchTowr counted roughly 30,000 internet-facing SZC instances at disclosure. Progress has not said whether the current threat relates to this chain or to a separate issue.
Defender takeaway. This is the same on-prem, internet-facing, managed-file-transfer-adjacent architecture class (ShareFile, MOVEit, GoAnywhere, Cleo) that has repeatedly produced mass pre-auth exploitation, and a vendor ordering customers to pull the plug rather than patch is a strong signal to treat any exposed SZC as untrusted until Progress publishes scope. Regardless of whether the July threat proves related to CVE-2026-2699/2701, any instance still on SZC 5.x below 5.12.4 carries a known, PoC-backed pre-auth RCE and should be upgraded or taken offline now. Since Progress has confirmed no mechanism, treat the CWE-698 chain as the working hunt hypothesis.
Triage: an authenticated administrator legitimately hits /ConfigService/Admin.aspx and receives a normal authenticated session; the anomaly for the known chain is a request to that path that returns a 302 whose response body nonetheless carries the full admin-panel HTML (the execution-after-redirect behaviour) rather than the redirect being honoured, followed by configuration changes to Zone/Primary-Zone-Controller/storage-repository fields outside a change window — and, downstream, an .aspx file appearing under a StorageCenter webroot subdirectory that is not part of the vendor's shipped file set.
We have reason to believe there is a credible external security threat targeting Progress Software's ShareFile Storage Zone Controllers.
Currently, we have no indication of unauthorized access to any Progress ShareFile accounts or data.
ShareFile customers with Storage Zone Controllers are not operational at this time.
Defender actions
- Shut down internet-facing on-prem ShareFile Storage Zone Controller servers per Progress's active directive and do not restart until Progress confirms scope; separately confirm any SZC 5.x instance is on ≥ 5.12.4 (or migrate to the unaffected 6.x .NET-Core branch) to close the known CVE-2026-2699/2701 pre-auth RCE chain.
- On any on-prem SZC host, run a bounded compromise check for the known chain: unexpected .aspx files under the StorageCenter webroot subdirectories (documentum/cifs/sp) and the IIS worker process w3wp.exe spawning cmd.exe or powershell.exe.
ATT&CK mapping
2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1190Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Persistence TA0003
T1505.003Server Software Component: Web Shell
Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to access the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
Sources
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.