Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1896+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Progress Confirms ShareFile Zero-Day Flaw Behind Storage Zone Shutdown
Progress Confirms ShareFile Zero-Day Flaw Behind Storage Zone Shutdown
NEWS

Progress Confirms ShareFile Zero-Day Flaw Behind Storage Zone Shutdown

Progress Software has confirmed a high-severity path traversal zero-day vulnerability in ShareFile Storage Zone Controller triggered the emergency shutdown order issued to on-premises customers on July 10, 2026. Emergency patches (versions 5.12.5 and 6.0.2) were released July 14, restoring customer access. All 5.x and 6.x versions are affected; cloud-only ShareFile accounts are not impacted.

Dylan H.

News Desk

July 14, 2026
6 min read

Progress Software has confirmed that a high-severity path traversal zero-day vulnerability in its ShareFile Storage Zone Controller software was the cause of an extraordinary emergency shutdown order issued to on-premises customers on July 10, 2026. Emergency patches — versions 5.12.5 and 6.0.2 — were released on July 14 alongside Microsoft's Patch Tuesday, restoring customer access to the platform.

The incident marks the second major ShareFile security crisis in two months, following a pair of critical pre-authentication RCE vulnerabilities disclosed by watchTowr Labs in April 2026. For security researchers and enterprise customers, it raises renewed questions about the security posture of the platform — particularly given Progress's role at the center of the devastating MOVEit Transfer mass exploitation campaign by Clop ransomware in 2023.

The Emergency Shutdown — July 10, 2026

On July 10, Progress sent an urgent email to all customers running on-premises ShareFile Storage Zone Controllers, instructing them to immediately shut down the Windows servers hosting the software. No patch was available at the time. The email cited a "credible external security threat" but provided no technical details.

The directive to take production file-sharing infrastructure offline with no advance warning — and no patch in hand — is an exceptionally rare step. It drew immediate attention from the security community, given the parallels to Progress's handling of the MOVEit Transfer incident in June 2023, when Clop had already exfiltrated data from hundreds of organizations before the initial advisory was published.

Progress subsequently confirmed the vulnerability during the July 10–13 period, with active honeypot detections of exploitation attempts reported during that window. By July 14, patches were available and customer access was restored.

The Vulnerability: Path Traversal Zero-Day

The confirmed vulnerability is a path traversal flaw in the ShareFile Storage Zone Controller. According to Progress's advisory, an authenticated administrative user can exploit the flaw to:

  • Read arbitrary files accessible to the application's service account
  • Write attacker-controlled content to arbitrary directories
  • Enumerate the server filesystem layout

The ability to write files to arbitrary directories is particularly dangerous in a Windows IIS-hosted application context — it creates a potential path to webshell deployment and full remote code execution, even if that specific exploitation chain hasn't been publicly confirmed for this flaw.

A CVE identifier has been reserved but was not publicly assigned as of July 14, 2026. Progress indicated the CVE would be published approximately two weeks after disclosure. Progress stated it could not rule out exploitation, though no evidence of confirmed data exfiltration or unauthorized account access was disclosed at time of patching.

Affected Versions

BranchAffectedFixed Version
5.xAll versions prior to 5.12.55.12.5
6.xAll versions prior to 6.0.26.0.2
Cloud SaaS (ShareFile.com)Not affectedN/A

Organizations using cloud-only ShareFile accounts with no self-hosted Storage Zone Controllers do not need to take any action.

Prior CVEs: April 2026 Pre-Auth RCE Chain

The July 2026 zero-day is a distinct vulnerability from two critical flaws disclosed by watchTowr Labs in April 2026:

CVETypeCVSSDescription
CVE-2026-2699Authentication Bypass9.8 (Critical)Bypasses authentication to reach restricted configuration pages
CVE-2026-2701Remote Code Execution9.1 (Critical)Upload of malicious ASPX webshells for full unauthenticated RCE

When chained, CVE-2026-2699 and CVE-2026-2701 allowed an unauthenticated attacker to achieve full remote code execution on any exposed ShareFile Storage Zone Controller. Shadowserver Foundation identified approximately 784 internet-exposed instances at the time of disclosure; watchTowr's broader scan found close to 30,000 visible instances. Progress patched those vulnerabilities in version 5.12.4.

Why ShareFile Is a High-Value Target

ShareFile Storage Zone Controllers store the actual file content transferred through the platform — enterprise documents, contracts, financial records, PII, and potentially regulated data. This makes them extremely high-value targets for:

  • Ransomware groups conducting data theft and extortion
  • State-sponsored actors conducting espionage via supply chain or trusted vendor access
  • Financial crime actors seeking confidential business documents

ShareFile's file storage role mirrors that of MOVEit Transfer in 2023 — also a Progress Software product, also a trusted enterprise managed file transfer platform. Clop ransomware's exploitation of MOVEit breached over 2,700 organizations globally. While Clop has not been attributed to ShareFile exploitation, the profile of attacks is similar.

Historical ShareFile Vulnerabilities

CVEYearSeverityTypeNotable
CVE-2023-244892023CriticalUnauthenticated RCEAdded to CISA KEV; exploited in wild
CVE-2026-26992026Critical (9.8)Auth bypassPatched in 5.12.4
CVE-2026-27012026Critical (9.1)Pre-auth RCEPatched in 5.12.4
TBD (July 2026)2026HighPath traversal zero-dayPatched in 5.12.5 / 6.0.2

What Organizations Should Do Now

Immediate Actions

  1. Upgrade immediately to ShareFile Storage Zone Controller 5.12.5 (5.x branch) or 6.0.2 (6.x branch)
  2. If you received the July 10 emergency shutdown email and your servers were shut down, do not bring them back online until the patch is applied
  3. Verify your deployment type — cloud-only customers are not affected and need no action

Post-Patch Investigation

After applying the patch, investigate for signs of exploitation during the exposure window (between initial exploitation and patching):

# Check IIS logs for suspicious path traversal patterns
# Look for requests containing ../ or encoded variants (%2e%2e%2f)
Get-Content "C:\inetpub\logs\LogFiles\W3SVC1\*.log" | 
  Select-String -Pattern "\.\./|%2e%2e%2f|%252e%252e" |
  Select-Object -First 100
 
# Search for recently created or modified ASPX files
Get-ChildItem -Path "C:\inetpub\" -Filter "*.aspx" -Recurse |
  Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-30)} |
  Select-Object FullName, LastWriteTime
 
# Check for unexpected files in ShareFile storage directories
Get-ChildItem -Path "<ShareFile-StoragePath>" -Recurse -File |
  Where-Object {$_.Extension -in @('.aspx','.asp','.php','.jsp')} |
  Select-Object FullName, CreationTime

Architecture Hardening

  • Restrict management interface access: ShareFile Storage Zone Controller management should not be directly internet-accessible; restrict to VPN or trusted internal networks
  • Implement least-privilege service accounts: The SZC application service account should have minimal filesystem permissions — only what is required to read/write the designated storage paths
  • Monitor file integrity: Deploy file integrity monitoring on ShareFile server directories to detect unauthorized file writes

If Indicators of Compromise Are Found

Treat the server as fully compromised:

  1. Isolate the server from the network immediately
  2. Capture a forensic image before making any changes
  3. Assume all files accessible to the service account may have been read or exfiltrated
  4. Notify affected parties per applicable breach notification requirements
  5. Contact Progress Software support for incident response guidance
  6. Engage your incident response team or a third-party IR firm

Looking Ahead: CVE Assignment

Progress has indicated the CVE identifier for the July 2026 path traversal zero-day will be publicly assigned approximately two weeks after disclosure (estimated by ~July 28, 2026). Monitor the NVD, CISA KEV catalog, and Progress's security advisories for the identifier and final CVSS score.


Sources: BleepingComputer, The Hacker News, The Register

#Progress Software#ShareFile#Zero-Day#Path Traversal#Patch Now#CVE-2026-2699#CVE-2026-2701#On-Premises Security

Related Articles

SonicWall Warns of SMA1000 Flaws Exploited in Zero-Day Attacks, Patch Now

SonicWall has issued an urgent advisory warning that two vulnerabilities in its SMA 1000 series secure remote access appliances are being actively exploited in chained zero-day attacks. CVE-2026-15409 (SSRF, CVSS 10.0) and CVE-2026-15410 (OS command injection) are combined to achieve full remote compromise. Patches are available; CISA has set a July 17 federal deadline.

4 min read

iCagenda and Balbooa Forms Joomla Flaws Exploited as Zero-Days

CISA has added two maximum-severity flaws in iCagenda and Balbooa Forms Joomla extensions to its KEV catalog following confirmed zero-day exploitation in the wild. Administrators should patch or mitigate immediately.

4 min read

Weekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, and AI Coding Attacks

This week's biggest threats: Progress Software orders ShareFile shutdown over an undisclosed zero-day-level risk, ransomware groups weaponize Citrix Bleed 2 to bypass MFA across 91+ victims, and five AI coding assistants fall to a shared attack pattern.

4 min read
Back to all News