ShareFile server flaws trigger patch scramble

A newly disclosed exploit chain in Progress ShareFile has raised fresh concern over the security of enterprise file-transfer systems after researchers showed that two critical flaws can be combined to seize control of vulnerable customer-managed servers without prior authentication. The vulnerabilities, tracked as CVE-2026-2699 and CVE-2026-2701, affect ShareFile Storage Zones Controller, the on-premises component used by organisations that keep files in their own infrastructure while relying on ShareFile’s broader service layer.

The more severe of the two bugs, CVE-2026-2699, carries a CVSS score of 9.8 and allows an unauthenticated attacker to reach restricted configuration pages. CVE-2026-2701, rated 9.1, is a remote code execution flaw that can be abused once an attacker has the access or trusted material needed to upload and execute malicious files on the server. Security researchers said the pair can be chained into a pre-authentication compromise path, effectively handing an outsider the ability to alter configuration, drop web shells and fully take over an exposed system.

The issue does not appear to affect every ShareFile environment equally. The disclosure centres on customer-managed Storage Zones Controller deployments, especially the 5. x branch built on ASP. NET. Researchers said both vulnerabilities were identified in version 5.12.3, which was the latest release available when their work was under way. A government advisory published on April 2 said affected ShareFile versions were those before 5.12.4 and versions before v6, making the vendor’s 5.12.4 release the key remediation point for exposed 5. x installations.

That distinction matters because ShareFile is often described as a cloud collaboration platform, yet the Storage Zones Controller is designed for customers that want tighter control over where their data sits, whether on local storage, network shares or approved cloud repositories. Those users are often in regulated sectors or in businesses with strict sovereignty and compliance requirements. The same design choice that gives customers greater control can also expand their security burden, because the controller sits inside their own environment and may be reachable from the public internet if poorly segmented.

Exposure figures have sharpened the urgency. Researchers said internet scanning suggested about 30,000 Storage Zones Controller instances were visible online, a number that reflects broad discoverability rather than confirmed vulnerable hosts. Separate telemetry cited by defenders pointed to a much smaller count of directly exposed IP addresses, with one tally showing 784 unique IPs observed on April 2. The gap between those numbers highlights a familiar problem in cyber incident response: headline exposure estimates can indicate wide attack surface, while narrower scans can better reflect immediate internet-facing risk. Either way, security teams are treating the disclosure as a high-priority patching event because file-transfer products have repeatedly drawn intense attention from criminals and espionage actors.

No authoritative public evidence had emerged by April 3 showing the ShareFile flaws were already being exploited in live attacks, but that has done little to calm defenders. The research was published with proof-of-concept details after coordinated disclosure, and the timeline released by the researchers said the vendor replicated the exploit chain in February and shipped a fixed version on March 10 before the embargo ended on April 2. That sequence gives organisations little room to delay, particularly because public exploit code tends to compress the time between disclosure and opportunistic scanning.

The episode also revives a difficult question for large enterprises: why secure file-transfer and managed transfer products keep appearing in high-impact vulnerability stories. The answer lies partly in their role. These systems sit near sensitive documents, automate trusted exchanges and are frequently integrated with identity, storage and workflow tools. A successful breach can therefore yield data theft, persistence and lateral movement in one step. Previous crises involving MOVEit and Cleo products showed how quickly attackers move when a widely used transfer platform exposes a reliable path to mass exploitation. Progress itself is still closely associated in many security circles with the 2023 MOVEit attacks, a reminder that vendors in this segment face exceptional scrutiny when another critical flaw appears.

For affected organisations, the immediate response is straightforward even if the follow-up work is not. Administrators need to identify whether any customer-managed ShareFile Storage Zones Controller instances are internet-facing, verify the installed version, upgrade vulnerable 5. x deployments to 5.12.4 or later, and investigate whether configuration pages, cryptographic settings or suspicious files show signs of tampering. Because the exploit path can enable full server compromise, incident handlers may also need to review credentials, logs, neighbouring systems and stored data for downstream impact rather than treating the issue as a routine patch cycle.