New Progress ShareFile flaws can be chained in pre-auth RCE attacks

New Progress ShareFile Flaws Can Be Chained in Pre-Auth RCE Attacks

Recent discoveries have unveiled two critical vulnerabilities within Progress ShareFile, a secure file transfer solution widely utilized by mid-sized and large enterprises. These vulnerabilities enable malicious actors to execute unauthenticated file exfiltration from the affected systems, raising significant security concerns.

Progress ShareFile serves as a document-sharing and collaboration platform, making it an attractive target for cybercriminals, particularly ransomware groups. Historical incidents, such as those involving Clop data-theft operations, illustrate the risks of exploiting weaknesses in similar systems.

The vulnerabilities were identified by researchers at the offensive security firm watchTowr. They pinpointed an authentication bypass vulnerability (CVE-2026-2699) along with a remote code execution flaw (CVE-2026-2701) in the Storage Zones Controller (SZC) component of Progress ShareFile, specifically in version branch 5.x.

The SZC component provides users with enhanced control over their data, allowing them to store information either on their own infrastructure (on-premises or with third-party cloud service providers) or directly on Progress’s systems.

In a responsible disclosure effort, watchTowr informed Progress of these vulnerabilities, which were subsequently addressed in the release of Progress ShareFile version 5.12.4 on March 10.

How the Attack Works

According to a detailed report by watchTowr, the attack commences with the exploitation of the authentication bypass vulnerability, CVE-2026-2699. This flaw allows an attacker to gain unauthorized access to the ShareFile admin interface due to a failure in properly handling HTTP redirects. Once access is achieved, the attacker can alter crucial Storage Zone configuration settings, including file storage paths and sensitive security parameters such as the zone passphrase and associated secret values.

Following this initial breach, the second vulnerability, CVE-2026-2701, can be exploited to execute remote code on the server. This is accomplished by leveraging the functionality associated with file upload and extraction, which allows the placement of malicious ASPX webshells within the application’s webroot. The researchers clarify that successful exploitation requires attackers to generate valid HMAC signatures and to extract and decrypt internal secrets. These actions, however, can be facilitated after the initial exploitation of CVE-2026-2699, as the attacker can manipulate passphrase-related values.

Impact and Exposure

Research from watchTowr indicates that around 30,000 Storage Zone Controller instances may be exposed on the public internet. The ShadowServer Foundation has recorded approximately 700 instances of Progress ShareFile that are currently visible online, predominantly located in the United States and Europe.

The vulnerabilities were communicated to Progress between February 6 and 13, with the complete exploit chain validated by watchTowr on February 18 for version 5.12.4 of ShareFile. Following this confirmation, Progress released security updates within that version, which became available on March 10.

As of this writing, there have been no confirmed active exploitations in the wild. However, it is strongly recommended that any systems operating vulnerable versions of the ShareFile Storage Zone Controller be updated immediately, as the public disclosure of these vulnerabilities heightens the chance of exploitation by threat actors.