What happened
New Progress ShareFile bugs could let attackers take over exposed on-premises servers without logging in by chaining an authentication bypass with remote code execution. The issues affect customer-managed ShareFile Storage Zones Controller 5.x deployments. The first flaw, CVE-2026-2699, is an authentication bypass on the Admin.aspx configuration page that can expose restricted admin functionality to an unauthenticated user. The second flaw, CVE-2026-2701, allows a malicious archive to be uploaded and extracted into a server-controlled path, including a web-accessible directory. Researchers showed that the chain could be used to place an ASPX webshell in the ShareFile webroot and execute code remotely on the server. Progress published fixes on April 2 and said customers should upgrade to version 5.12.4 or move to any 6.x release, which is not impacted.Â
Who is affected
The direct exposure affects organizations running customer-managed ShareFile Storage Zones Controller 5.x systems, especially internet-facing deployments. The on-premises component is used by organizations that want to store files in their own infrastructure while still using ShareFile’s cloud-based management interface. Researchers estimated that around 30,000 Storage Zone Controller instances are internet-facing.Â
Why CISOs should care
This matters because the affected servers sit at the edge of file-sharing workflows and can provide a direct path to server takeover without prior authentication. The attack chain also reaches a system often used for compliance, sovereignty, or internal security reasons, which raises the operational impact if an exposed deployment is compromised. Progress said it has not received reports of active exploitation so far, but classified the issue as critical.Â
3 practical actions
Patch affected systems immediately: Upgrade exposed ShareFile Storage Zones Controller 5.x servers to version 5.12.4 or move to an unaffected 6.x release.Â
Identify exposed on-premises deployments: Locate any internet-facing Storage Zones Controller instances and prioritize them for immediate remediation.Â
Review for tampering and unexpected files: Check affected servers for suspicious configuration changes and unexpected files in web-facing directories, especially where a malicious archive or webshell could have been placed.Â
For more news about critical software flaws that can lead to server compromise, click Vulnerability to read more.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.