Progress ShareFile Storage Zone Controller — Shadowserver confirms active exploitation of CVE-2026-2699; exposed instances collapse ~30,000 to ~1,000
UPDATE · originally covered Progress orders ShareFile Storage Zone Controller shutdown over a 'credible external threat' — day three, no patch or root cause disclosed (2026-07-13)
Two developments harden the picture around Progress's emergency ShareFile Storage Zone Controller (SZC) shutdown order. First, the shutdown was not precautionary in the abstract: the alert "arrived the same day that independent honeypots began detecting active, in-the-wild attempts to exploit" the pre-auth authentication-bypass flaw CVE-2026-2699, with Shadowserver Foundation honeypots first recording those attempts on Friday 2026-07-10 (BankInfoSecurity, 2026-07-13). This moves the flaw's status from PoC-public to actively exploited. Second, defenders responded at scale — the number of internet-exposed Storage Zone Controllers fell from watchTowr's April count of about 30,000 to roughly 1,000 by 2026-07-13, evidence of widespread emergency power-downs (BankInfoSecurity, 2026-07-13). Progress restored ShareFile cloud-service access for SZC customers but continues to require the on-prem controllers themselves stay powered off pending its investigation, and still reports no evidence of unauthorized access to customer data (The Register, 2026-07-13; Progress ShareFile status, 2026-07-13).
Recorded Future analyst Allan Liska publicly assessed that the pattern "smells like CL0P ransomware group activity," pointing to Clop's long record of mass-exploiting secure file-transfer software (Accellion FTA, GoAnywhere, MOVEit, Cleo Harmony, and Oracle E-Business Suite) (BankInfoSecurity, 2026-07-13). This is a named researcher's hypothesis, not an attribution: Progress has identified no actor and disclosed no root cause.
Defender takeaway. The one-day earlier guidance — treat any exposed SZC as untrusted and keep it powered off rather than patched — is now backed by confirmed in-the-wild exploitation, so it should carry more weight, not less, for any organisation that has not yet acted. Exposure concentrates in the US and Germany, keeping this directly relevant to European on-prem file-exchange operators. The recommended state remains a full power-off of on-prem Storage Zone Controllers until Progress publishes scope; the original entry's shutdown and bounded-compromise-check actions still stand unchanged.
The alert arrived the same day that independent honeypots began detecting active, in-the-wild attempts to exploit a critical authentication bypass vulnerability the vendor patched earlier this year in its ShareFile Storage Zone Controller software.
Honeypots run by nonprofit cybersecurity organization Shadowserver Foundation first recorded active, in-the-wild attacks attempting to exploit CVE-2026-2699 on Friday.
This smells like CL0P ransomware group activity. If you use ShareFile, be like C-3PO and 'shut them all down.'
ATT&CK mapping
1 technique mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1190Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Sources
Update chain
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.