Progress ShareFile Flaws Enable Pre-Auth RCE on Storage Zone Controller
Researchers disclosed a pre-authenticated remote code execution chain affecting Progress ShareFile Storage Zone Controller 5.x. The chain combines CVE-2026-2699, an authentication bypass in /ConfigService/Admin.aspx caused by execution continuing after an HTTP redirect, with **CVE-2026-2701`, which allows code execution by changing the storage location to a webroot path and abusing ZIP upload-and-extract behavior to write a malicious ASPX webshell to disk. The attack can give unauthenticated attackers access to the ShareFile admin interface, enable changes to storage zone configuration and secrets, and potentially support file exfiltration from affected environments.
The issues were reported by watchTowr and fixed by Progress in ShareFile Storage Zone Controller 5.12.4. The research focused on the 5.x branch, including version 5.12.3, and highlighted substantial internet exposure: watchTowr said roughly 30,000 Storage Zone Controller instances were discoverable online, while Shadowserver observed about 700 internet-exposed Progress ShareFile systems, primarily in the United States and Europe. No active exploitation was reported at disclosure, but the publication of the exploit chain raises the risk of follow-on attacks against unpatched on-premises deployments.
Timeline
Apr 2, 2026
Researchers report significant internet exposure of ShareFile instances
Public reporting noted substantial exposure of ShareFile Storage Zone Controller systems on the internet, with watchTowr estimating roughly 30,000 discoverable instances and ShadowServer observing about 700 exposed Progress ShareFile systems. The exposed systems were reported as concentrated mainly in the United States and Europe.
Apr 2, 2026
watchTowr discloses pre-auth ShareFile RCE chain affecting on-prem deployments
watchTowr Labs publicly disclosed that CVE-2026-2699 and CVE-2026-2701 can be chained to achieve pre-authenticated remote code execution against internet-exposed on-premises ShareFile Storage Zone Controller 5.x systems. The disclosure described authentication bypass via /ConfigService/Admin.aspx and webshell placement through storage reconfiguration and ZIP extraction abuse.
Mar 10, 2026
Progress releases ShareFile SZC 5.12.4 to fix two vulnerabilities
Progress fixed two flaws in ShareFile Storage Zone Controller 5.x, tracked as CVE-2026-2699 and CVE-2026-2701, in version 5.12.4. The patched release was made available on 2026-03-10.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
1 more from sources like bleeping computer
Related Stories
Progress ShareFile Storage Zones Controller Flaws Enable Unauthorized Access and RCE
Progress disclosed two high-severity vulnerabilities in **Customer Managed ShareFile Storage Zones Controller (SZC)** that could expose organizations to unauthorized access and remote code execution. **`CVE-2026-2699`** allows an unauthenticated attacker to reach restricted configuration pages, creating a path to unauthorized system configuration changes and possible code execution. The flaw is rated **CVSS 9.8** (`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`) and is associated with **CWE-284** and **CWE-698**. A second issue, **`CVE-2026-2701`**, allows an authenticated user to upload a malicious file to the server and execute it, resulting in remote code execution in ShareFile SZC environments. That vulnerability carries a **CVSS 8.8** rating (`AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H`) and is mapped to **CWE-94**, **CWE-78**, and **CWE-434**. The disclosures reference vendor security guidance for ShareFile and indicate that both flaws can significantly affect confidentiality, integrity, and availability in customer-managed deployments.
1 months ago
Progress LoadMaster API Flaws Enable Authenticated OS Command Injection
Progress disclosed two high-severity OS command injection vulnerabilities in its ADC product line, including **LoadMaster**, **ECS Connection Manager**, **Object Scale Connection Manager**, and **MOVEit WAF**. The issues, tracked as `CVE-2026-3517` and `CVE-2026-3519`, affect the API and can lead to remote code execution when authenticated administrators submit unsanitized input to specific commands. Both flaws are classified as `CWE-77` and carry a `CVSS v3.1` vector of `AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H`, indicating high impact across confidentiality, integrity, and availability. `CVE-2026-3517` allows an attacker with **Geo Administration** permissions to exploit the `addcountry` command, while `CVE-2026-3519` requires **VS Administration** permissions to abuse the `aclcontrol` command. In both cases, Progress said arbitrary commands could be executed through the vulnerable API, and the vendor published an advisory covering these and related CVEs. Organizations using affected appliances should prioritize reviewing administrative access and applying vendor guidance to reduce exposure to authenticated abuse paths.
1 weeks ago
Active Exploitation of Unpatched LFI Vulnerability in Gladinet CentreStack and TrioFox (CVE-2025-11371)
Attackers are actively exploiting a zero-day vulnerability, CVE-2025-11371, in Gladinet CentreStack and TrioFox file-sharing and remote access platforms. This vulnerability is an unauthenticated local file inclusion (LFI) flaw that allows threat actors to access sensitive system files, including the application’s Web.config file. By retrieving the machine key from this configuration file, attackers can leverage a previously patched vulnerability, CVE-2025-30406, to achieve remote code execution (RCE) through ViewState deserialization attacks. Huntress, a cybersecurity firm, first detected exploitation of this flaw on September 26-27, 2025, and has confirmed that at least three customers have been impacted so far. The vulnerability affects all versions of CentreStack and TrioFox up to and including 16.7.10368.56560, and there is currently no official patch available from Gladinet. Both self-hosted and cloud-hosted deployments of these platforms are at risk, as the flaw impacts default installations and configurations. The exploitation chain involves using the LFI to extract the machine key, which is then used to craft malicious ViewState payloads that bypass integrity checks and enable arbitrary code execution on the server. Notably, Huntress observed successful exploitation even on systems that had already patched CVE-2025-30406, indicating that the previous fix was insufficient to fully mitigate the risk. In response, Huntress and other security experts recommend disabling the "temp" handler within the UploadDownloadProxy Web.config file as an immediate mitigation, though this may impact some platform functionality. Gladinet has acknowledged the vulnerability and its active exploitation but has not yet released a patch, urging customers to implement the recommended mitigations. The affected products are widely used by managed service providers, small businesses, and enterprises for secure file access and sharing, increasing the potential impact of this vulnerability. Attackers exploiting this flaw can gain full control over affected servers, leading to data theft, lateral movement, or further compromise of organizational networks. Security researchers are withholding some technical details to prevent further exploitation while a patch is developed. Organizations using CentreStack or TrioFox should urgently review their configurations and apply the recommended mitigations to reduce exposure. The incident highlights the risks associated with chained vulnerabilities and the importance of defense-in-depth strategies. Ongoing monitoring and threat detection are advised until a permanent fix is available. The situation remains fluid, with active exploitation continuing and the vendor working on a security update.
1 months ago