192/69 Friday, April 3, 2026
Two security vulnerabilities have been discovered in Progress Software ShareFile, an enterprise file transfer and sharing solution, affecting the Storage Zones Controller component in version 5.x. The flaws-CVE-2026-2699 (authentication bypass) and CVE-2026-2701 (remote code execution)-can be chained together, allowing attackers to access systems, exfiltrate data, or execute malicious code without authentication.
The attack begins with CVE-2026-2699, which exploits improper handling of HTTP redirects to gain access to the ShareFile management interface. This allows attackers to modify Storage Zone configurations, including file storage paths and security settings such as passphrases. Once these controls are obtained, CVE-2026-2701 can be used to execute code on the server via file upload and extraction functionality, enabling attackers to deploy an ASPX webshell within the application’s web root. Researchers noted that once passphrase-related configurations are compromised, attackers can generate HMAC signatures and decrypt sensitive data required for further exploitation.
Analysis indicates that approximately 30,000 Storage Zones Controller instances are exposed to the public internet, while Shadowserver Foundation identified around 700 vulnerable systems, primarily located in the United States and Europe. Progress Software released a patch in version 5.12.4 on March 10, 2026. Although no widespread exploitation has been reported yet, organizations using affected versions are strongly advised to apply the update immediately, as public disclosure of these vulnerabilities may accelerate real-world attacks.