
Progress Software has confirmed the mystery behind last week's abrupt shutdown of ShareFile Storage Zone Controllers: a high-severity zero-day vulnerability that allowed attackers to read, write, and map files on customer servers. The company has now shipped patches, and organizations running the affected software should apply them without delay.
The story began when Progress told customers to shut down the Windows servers running their Storage Zone Controllers after learning of a credible external threat, temporarily cutting off ShareFile access for every account tied to the technology. At the time, Progress kept the specifics under wraps as it worked with outside security experts on the incident.
That silence ended this week. Progress told customers its investigation traced the shutdown to a high-severity path traversal bug (a flaw that lets an attacker step outside an intended folder to reach files they shouldn't touch) present in every 5.x and 6.x build of the Storage Zone Controller.
According to an email reviewed by BleepingComputer, the flaw lets an authenticated administrative user pull arbitrary files reachable by the app's service account, drop attacker-controlled content into arbitrary directories, or map out the server's entire filesystem layout. A CVE has been reserved, but won't go public for two weeks.
The stakes here are real. Storage Zone Controllers let organizations keep files on their own infrastructure while still riding ShareFile's cloud for logins, permissions, and sharing — which typically means the servers sit exposed to the internet.
That combination of internet exposure and sensitive file storage has made similar platforms a favorite target for extortion gangs, most infamously in the 2023 Clop-driven MOVEit Transfer campaign, another Progress product.
This also isn't the Storage Zone Controller's first brush with serious trouble. In April, watchTowr Labs disclosed a chainable authentication bypass and a remote code execution pair, rated 9.8 and 9.1, and Shadowserver later spotted active exploitation attempts targeting the same bypass flaw in the wild.
Progress says there's currently no evidence that any customer accounts or data were accessed. Fixes are available in versions 5.12.5 and 6.0.2 — admins should patch immediately before bringing Storage Zone Controllers back online, and treat any internet-facing instance as a priority.