Progress Software has confirmed that a high-severity path traversal zero-day vulnerability in its ShareFile Storage Zone Controller software was the cause of an extraordinary emergency shutdown order issued to on-premises customers on July 10, 2026. Emergency patches — versions 5.12.5 and 6.0.2 — were released on July 14 alongside Microsoft's Patch Tuesday, restoring customer access to the platform.
The incident marks the second major ShareFile security crisis in two months, following a pair of critical pre-authentication RCE vulnerabilities disclosed by watchTowr Labs in April 2026. For security researchers and enterprise customers, it raises renewed questions about the security posture of the platform — particularly given Progress's role at the center of the devastating MOVEit Transfer mass exploitation campaign by Clop ransomware in 2023.
The Emergency Shutdown — July 10, 2026
On July 10, Progress sent an urgent email to all customers running on-premises ShareFile Storage Zone Controllers, instructing them to immediately shut down the Windows servers hosting the software. No patch was available at the time. The email cited a "credible external security threat" but provided no technical details.
The directive to take production file-sharing infrastructure offline with no advance warning — and no patch in hand — is an exceptionally rare step. It drew immediate attention from the security community, given the parallels to Progress's handling of the MOVEit Transfer incident in June 2023, when Clop had already exfiltrated data from hundreds of organizations before the initial advisory was published.
Progress subsequently confirmed the vulnerability during the July 10–13 period, with active honeypot detections of exploitation attempts reported during that window. By July 14, patches were available and customer access was restored.
The Vulnerability: Path Traversal Zero-Day
The confirmed vulnerability is a path traversal flaw in the ShareFile Storage Zone Controller. According to Progress's advisory, an authenticated administrative user can exploit the flaw to:
- Read arbitrary files accessible to the application's service account
- Write attacker-controlled content to arbitrary directories
- Enumerate the server filesystem layout
The ability to write files to arbitrary directories is particularly dangerous in a Windows IIS-hosted application context — it creates a potential path to webshell deployment and full remote code execution, even if that specific exploitation chain hasn't been publicly confirmed for this flaw.
A CVE identifier has been reserved but was not publicly assigned as of July 14, 2026. Progress indicated the CVE would be published approximately two weeks after disclosure. Progress stated it could not rule out exploitation, though no evidence of confirmed data exfiltration or unauthorized account access was disclosed at time of patching.
Affected Versions
| Branch | Affected | Fixed Version |
|---|---|---|
| 5.x | All versions prior to 5.12.5 | 5.12.5 |
| 6.x | All versions prior to 6.0.2 | 6.0.2 |
| Cloud SaaS (ShareFile.com) | Not affected | N/A |
Organizations using cloud-only ShareFile accounts with no self-hosted Storage Zone Controllers do not need to take any action.
Prior CVEs: April 2026 Pre-Auth RCE Chain
The July 2026 zero-day is a distinct vulnerability from two critical flaws disclosed by watchTowr Labs in April 2026:
| CVE | Type | CVSS | Description |
|---|---|---|---|
| CVE-2026-2699 | Authentication Bypass | 9.8 (Critical) | Bypasses authentication to reach restricted configuration pages |
| CVE-2026-2701 | Remote Code Execution | 9.1 (Critical) | Upload of malicious ASPX webshells for full unauthenticated RCE |
When chained, CVE-2026-2699 and CVE-2026-2701 allowed an unauthenticated attacker to achieve full remote code execution on any exposed ShareFile Storage Zone Controller. Shadowserver Foundation identified approximately 784 internet-exposed instances at the time of disclosure; watchTowr's broader scan found close to 30,000 visible instances. Progress patched those vulnerabilities in version 5.12.4.
Why ShareFile Is a High-Value Target
ShareFile Storage Zone Controllers store the actual file content transferred through the platform — enterprise documents, contracts, financial records, PII, and potentially regulated data. This makes them extremely high-value targets for:
- Ransomware groups conducting data theft and extortion
- State-sponsored actors conducting espionage via supply chain or trusted vendor access
- Financial crime actors seeking confidential business documents
ShareFile's file storage role mirrors that of MOVEit Transfer in 2023 — also a Progress Software product, also a trusted enterprise managed file transfer platform. Clop ransomware's exploitation of MOVEit breached over 2,700 organizations globally. While Clop has not been attributed to ShareFile exploitation, the profile of attacks is similar.
Historical ShareFile Vulnerabilities
| CVE | Year | Severity | Type | Notable |
|---|---|---|---|---|
| CVE-2023-24489 | 2023 | Critical | Unauthenticated RCE | Added to CISA KEV; exploited in wild |
| CVE-2026-2699 | 2026 | Critical (9.8) | Auth bypass | Patched in 5.12.4 |
| CVE-2026-2701 | 2026 | Critical (9.1) | Pre-auth RCE | Patched in 5.12.4 |
| TBD (July 2026) | 2026 | High | Path traversal zero-day | Patched in 5.12.5 / 6.0.2 |
What Organizations Should Do Now
Immediate Actions
- Upgrade immediately to ShareFile Storage Zone Controller 5.12.5 (5.x branch) or 6.0.2 (6.x branch)
- If you received the July 10 emergency shutdown email and your servers were shut down, do not bring them back online until the patch is applied
- Verify your deployment type — cloud-only customers are not affected and need no action
Post-Patch Investigation
After applying the patch, investigate for signs of exploitation during the exposure window (between initial exploitation and patching):
# Check IIS logs for suspicious path traversal patterns
# Look for requests containing ../ or encoded variants (%2e%2e%2f)
Get-Content "C:\inetpub\logs\LogFiles\W3SVC1\*.log" |
Select-String -Pattern "\.\./|%2e%2e%2f|%252e%252e" |
Select-Object -First 100
# Search for recently created or modified ASPX files
Get-ChildItem -Path "C:\inetpub\" -Filter "*.aspx" -Recurse |
Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-30)} |
Select-Object FullName, LastWriteTime
# Check for unexpected files in ShareFile storage directories
Get-ChildItem -Path "<ShareFile-StoragePath>" -Recurse -File |
Where-Object {$_.Extension -in @('.aspx','.asp','.php','.jsp')} |
Select-Object FullName, CreationTimeArchitecture Hardening
- Restrict management interface access: ShareFile Storage Zone Controller management should not be directly internet-accessible; restrict to VPN or trusted internal networks
- Implement least-privilege service accounts: The SZC application service account should have minimal filesystem permissions — only what is required to read/write the designated storage paths
- Monitor file integrity: Deploy file integrity monitoring on ShareFile server directories to detect unauthorized file writes
If Indicators of Compromise Are Found
Treat the server as fully compromised:
- Isolate the server from the network immediately
- Capture a forensic image before making any changes
- Assume all files accessible to the service account may have been read or exfiltrated
- Notify affected parties per applicable breach notification requirements
- Contact Progress Software support for incident response guidance
- Engage your incident response team or a third-party IR firm
Looking Ahead: CVE Assignment
Progress has indicated the CVE identifier for the July 2026 path traversal zero-day will be publicly assigned approximately two weeks after disclosure (estimated by ~July 28, 2026). Monitor the NVD, CISA KEV catalog, and Progress's security advisories for the identifier and final CVSS score.
Sources: BleepingComputer, The Hacker News, The Register