Progress ShareFile Storage Zones Controller Flaws Enable Unauthorized Access and RCE
Progress disclosed two high-severity vulnerabilities in Customer Managed ShareFile Storage Zones Controller (SZC) that could expose organizations to unauthorized access and remote code execution. CVE-2026-2699 allows an unauthenticated attacker to reach restricted configuration pages, creating a path to unauthorized system configuration changes and possible code execution. The flaw is rated CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-284 and CWE-698.
A second issue, CVE-2026-2701, allows an authenticated user to upload a malicious file to the server and execute it, resulting in remote code execution in ShareFile SZC environments. That vulnerability carries a CVSS 8.8 rating (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and is mapped to CWE-94, CWE-78, and CWE-434. The disclosures reference vendor security guidance for ShareFile and indicate that both flaws can significantly affect confidentiality, integrity, and availability in customer-managed deployments.
Timeline
Apr 2, 2026
Progress releases ShareFile SZC fix in version 5.12.4
On 2026-04-02, Progress disclosed fixes for CVE-2026-2699 and CVE-2026-2701 in ShareFile Storage Zones Controller v5.12.4 and advised customers to upgrade or move to any unaffected v6 release. The company also said it had not received reports of active exploitation at the time of the notice.
Apr 2, 2026
CVE records and vendor references are published for the ShareFile SZC flaws
On 2026-04-02, public CVE entries were published for both vulnerabilities with high-severity CVSS v3.1 scores, CWE mappings, and vendor/security advisory references. The CVE-2026-2699 record was also updated the same day to add a WatchTowr Labs reference.
Apr 2, 2026
Progress receives reports for ShareFile SZC vulnerabilities CVE-2026-2699 and CVE-2026-2701
On 2026-04-02, Progress received vulnerability reports affecting Customer Managed ShareFile Storage Zones Controller. CVE-2026-2699 allows unauthenticated access to restricted configuration pages with possible configuration changes and remote code execution, while CVE-2026-2701 allows an authenticated user to upload and execute a malicious file on the server.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Progress ShareFile Flaws Enable Pre-Auth RCE on Storage Zone Controller
Researchers disclosed a **pre-authenticated remote code execution** chain affecting **Progress ShareFile Storage Zone Controller 5.x**. The chain combines **CVE-2026-2699**, an authentication bypass in `/ConfigService/Admin.aspx` caused by execution continuing after an HTTP redirect, with **CVE-2026-2701`, which allows code execution by changing the storage location to a webroot path and abusing ZIP upload-and-extract behavior to write a malicious **ASPX webshell** to disk. The attack can give unauthenticated attackers access to the ShareFile admin interface, enable changes to storage zone configuration and secrets, and potentially support file exfiltration from affected environments. The issues were reported by watchTowr and fixed by Progress in **ShareFile Storage Zone Controller 5.12.4**. The research focused on the **5.x** branch, including version **5.12.3**, and highlighted substantial internet exposure: watchTowr said roughly **30,000** Storage Zone Controller instances were discoverable online, while Shadowserver observed about **700** internet-exposed Progress ShareFile systems, primarily in the United States and Europe. No active exploitation was reported at disclosure, but the publication of the exploit chain raises the risk of follow-on attacks against unpatched on-premises deployments.
4 weeks ago
Progress LoadMaster API Flaws Enable Authenticated OS Command Injection
Progress disclosed two high-severity OS command injection vulnerabilities in its ADC product line, including **LoadMaster**, **ECS Connection Manager**, **Object Scale Connection Manager**, and **MOVEit WAF**. The issues, tracked as `CVE-2026-3517` and `CVE-2026-3519`, affect the API and can lead to remote code execution when authenticated administrators submit unsanitized input to specific commands. Both flaws are classified as `CWE-77` and carry a `CVSS v3.1` vector of `AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H`, indicating high impact across confidentiality, integrity, and availability. `CVE-2026-3517` allows an attacker with **Geo Administration** permissions to exploit the `addcountry` command, while `CVE-2026-3519` requires **VS Administration** permissions to abuse the `aclcontrol` command. In both cases, Progress said arbitrary commands could be executed through the vulnerable API, and the vendor published an advisory covering these and related CVEs. Organizations using affected appliances should prioritize reviewing administrative access and applying vendor guidance to reduce exposure to authenticated abuse paths.
1 weeks ago
Critical Root Access and Arbitrary File Write Flaws Disclosed in Network-Exposed Systems
Two high-severity vulnerabilities were disclosed affecting exposed application and device management surfaces, including a flaw that can give attackers **root access** and another that enables **arbitrary file write** through path traversal. **CVE-2026-3587** describes an unauthenticated remote attack path in a hidden CLI function that lets an attacker escape a restricted prompt and gain root access to the underlying Linux operating system, potentially leading to full device compromise. The issue was mapped to `CWE-912` and assigned a `CVSS v3.1` score vector of `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`, with CERT VDE publishing advisory `VDE-2026-020`. A separate vulnerability, **CVE-2026-5027**, affects Langflow's `POST /api/v2/files` endpoint, where improper sanitization of the multipart `filename` parameter allows path traversal using `../` sequences. An authenticated attacker can exploit the bug to write files to arbitrary filesystem locations, creating a route to compromise confidentiality, integrity, and availability. The flaw was classified as `CWE-22`, carries the `CVSS v3.1` vector `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, and is referenced in Tenable advisory `TRA-2026-26`.
1 months ago