A dangerous attack chain in Progress ShareFile that can allow attackers to take over exposed on-premises servers without first logging in.<\/p>\n
The issues affect customer-managed ShareFile Storage Zones Controller 5.x deployments, and Progress says customers should upgrade to version 5.12.4 or move to any 6.x release, which is not impacted.<\/p>\n
According to Progress and WatchTower, the first bug is an authentication bypass that exposes restricted configuration pages, while the second enables remote code execution via\u00a0malicious file uploads<\/a><\/span> and execution.<\/a><\/p>\n RunZero lists both flaws CVE-2026-2699 (CVSS 9.8) and CVE-2026-2701 (CVSS 9.1) as critical.<\/p>\n The attack targets the ShareFile Storage Zones Controller. This on-premises component lets organizations store files in their own infrastructure while still using ShareFile\u2019s cloud-based management interface.<\/p>\n That design is often used by enterprises with compliance, sovereignty, or internal security requirements, and watchTower estimated that around 30,000 Storage Zone Controller instances are internet-facing.<\/p>\n Because these servers sit at the edge of file-sharing workflows, they are especially attractive targets for ransomware groups and other threat actors.<\/p>\n WatchTowr found that the authentication bypass is caused by an Execution After Redirect condition on the Admin.aspx configuration page.<\/p>\n In simple terms, the application sends an HTTP 302 redirect to the login page. However, the page logic continues running, which can expose admin functionality to an unauthenticated user.<\/a><\/p>\n The researchers said this behavior is tied to the way the application uses a redirect function that does not properly stop execution.<\/p>\n After gaining access to the admin interface, an attacker can modify important zone settings, including storage paths and passphrase-related values.<\/p>\n That access becomes more serious because the second bug allows a malicious archive to be uploaded and extracted into a server-controlled path, including a web-accessible directory.<\/a><\/p>\n In the demonstrated chain, this allowed an ASPX webshell to be placed in the ShareFile webroot<\/a> and for code to be executed remotely on the server.<\/p>\n Progress said it has not received reports of active exploitation so far. However, the vendor classified the issue as critical and published fixes on April 2, 2026.<\/p>\n WatchTower\u2019s timeline shows the bugs were privately disclosed<\/a> in February, replicated by Progress in mid-February, and fixed in ShareFile Storage Zones Controller 5.12.4 on March 10 before public disclosure in April.<\/p>\n For defenders, the priority is clear: identify any exposed ShareFile Storage Zones Controller 5.x systems, patch immediately, and review them for suspicious configuration changes or unexpected files in web-facing directories.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post New Progress ShareFile Bugs Let Attackers Take Over Servers Without Logging In<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n\nProgress ShareFile<\/strong> Vulnerability<\/strong>
\n<\/h2>\n![\"uploaded](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjYnrMVclLovcdERbj2_k2xQ0lkxAuCnqbMXy-37RQShJt6ytamR00jvsPmeRF4vscVbHMH-MabdQDJZ7CK4I9I-s04bDKSTGzFLpj1ZWakvXDGshXXmN4YaTlqo06b_3f94n52A6rbV3B4q426SHwU9t1z2QOCKPLs1CUdRyQgwbBdqBr7yXa6sCQZ5kg\/s1600\/Screenshot%25202026-04-03%2520192221%2520%25281%2529.webp?ssl=1\")
![\"webshell](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiCHxpvvFvW7Br0CVxo5QocMc8Bn6lfXa5y4IffU_ZVHJicud8CYRCERS54yegi0rgFKzBiWHqPAOSnif6HJcVe4CwqvAQYdrvCmVqlWB8nLDwBg3TvWWkTTE9dlxXmjNLvtfAiZLGwTNh5a4TZwi-oOy2tKWHfhJ-nAQkv-r6kK1Jp2vyog43EopqKmoc\/s1600\/Screenshot%25202026-04-03%2520192243%2520%25281%2529.webp?ssl=1\")