ctipilot.ch
← Back to the live brief
HIGHupdateNATOB1vulnerability

Progress confirms the ShareFile Storage Zone Controller shutdown was forced by a path-traversal zero-day; patches 5.12.5 / 6.0.2 ship and service is restored

discovered 2026-07-14 20:21 UTCrun 2026-07-14T2009Z-intel2 sourcesmulti-source

UPDATE · originally covered Progress ShareFile Storage Zone Controller — Shadowserver confirms active exploitation of CVE-2026-2699; exposed instances collapse ~30,000 to ~1,000 (2026-07-14)

Progress Software has confirmed the root cause behind its emergency ShareFile Storage Zone Controller (SZC) shutdown order: a high-severity path-traversal vulnerability affecting SZC versions 5.x and 6.x that lets an authenticated administrative user read arbitrary files accessible to the application's service account, write malicious content to server directories, and enumerate the filesystem layout (BleepingComputer, 2026-07-14) — a CWE-22-class flaw reachable through the SZC's internet-facing IIS component. Progress has shipped patched versions 5.12.5 and 6.0.2, and a CVE identifier is reserved but will not be published for two weeks. The vendor states it has "no indication of unauthorized access to any ShareFile customer account or data," a claim that sits alongside this run's earlier finding that Shadowserver honeypots recorded in-the-wild exploitation attempts against the same component from 2026-07-10. Progress's status page confirms Storage Zone Controller customer access "is currently being restored," with recovery instructions issued directly to account owners (Progress — ShareFile Status Page, 2026-07-14), closing out the multi-day outage that began with the 2026-07-10 shutdown order.

An authenticated administrative user can read arbitrary files accessible to the application's service account

Currently, we have no indication of unauthorized access to any ShareFile customer account or data

BleepingComputer 2026-07-14

Storage Zones Controller customer access is currently being restored. Recovery instructions have been provided directly to account owners.

Progress — ShareFile Status Page 2026-07-14

Defender actions

  • Apply ShareFile Storage Zone Controller 5.12.5 or 6.0.2 to every on-prem SZC now and follow Progress's account-owner recovery instructions before returning the component to service — this is the fix for the flaw behind the 2026-07-10 emergency shutdown, against which in-the-wild exploitation attempts were already observed.

ATT&CK mapping

1 technique mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.