Offensive security firm watchTowr has disclosed a critical two-vulnerability chain in Progress ShareFile's on-premises Storage Zone Controller (SZC) that allows an unauthenticated attacker to fully compromise a target server — no credentials required. With roughly 30,000 SZC instances exposed on the public internet, the attack surface is significant, and the timing is urgent: a working proof-of-concept is already public.
The chain pairs CVE-2026-2699, rated CVSS 9.8, which allows a remote, unauthenticated attacker to access restricted configuration pages, with CVE-2026-2701, rated CVSS 9.1, which enables a privileged user to upload and execute a malicious file on the server. runZero
The root cause of CVE-2026-2699 is an old ghost from PHP-era development, now haunting ASP.NET: a classic Execution After Redirect (EAR) flaw. When the admin panel at /ConfigService/Admin.aspx is accessed unauthenticated, the server correctly issues a 302 redirect — but fails to terminate page execution afterward. The full admin interface renders in the response body, and simply stripping the redirect header in a proxy tool exposes it entirely.
Once inside, an attacker can modify Storage Zone configuration settings, including file storage paths and security-sensitive parameters such as the zone passphrase and related secrets. Attackers then abuse ShareFile's ZIP file upload and extraction functionality to plant a malicious ASPX webshell directly in the application's webroot — the server's publicly accessible root directory — achieving remote code execution running as NT AUTHORITY\NETWORK SERVICE.
The flaws were found in StorageCenter_5.12.3, the latest branch 5.x release at time of research. Progress addressed the issues in ShareFile 5.12.4, released on March 10, 2026, following watchTowr's responsible disclosure between February 6 and 13.
Progress ShareFile is a document sharing and collaboration product typically used by large and mid-sized companies. Such solutions are an attractive target for ransomware actors, as previously seen in Clop data-theft attacks exploiting bugs in MOVEit Transfer, GoAnywhere MFT, and Cleo.
This attack fits a now-familiar pattern — file transfer software exposed to the internet, quietly hosting enterprise data, becoming the entry point for wider network compromise.
No active exploitation in the wild has been confirmed as of writing, but watchTowr has already released a Detection Artifact Generator on GitHub, and the full technical write-up is public — narrowing the window before opportunistic actors move in.
What you should do right now: Organizations running Progress ShareFile Storage Zone Controller on branch 5.x must upgrade to version 5.12.4 immediately. Verify whether any SZC instances are internet-facing, audit for suspicious activity around /ConfigService/Admin.aspx, and check for unauthorized zone configuration changes, particularly to Network Share Location or Primary Zone Controller fields.