Progress ShareFile Flaws CVE-2026-2699 & CVE-2026-2701 RCE

A newly disclosed Progress ShareFile pre-auth RCE chain is drawing attention after researchers showed how CVE-2026-2699 and CVE-2026-2701 can be combined to compromise exposed Storage Zones Controller 5.x servers. The issue affects customer-managed ShareFile deployments that rely on the older 5.x branch, not every ShareFile environment.

watchTowr publicly disclosed the chain on April 2, 2026, after Progress had already released a fix in ShareFile 5.12.4 on March 10, 2026. According to public advisories, successful exploitation can let an unauthenticated attacker bypass access controls, abuse upload and extraction behavior, and place a malicious ASPX webshell in the application’s webroot.

For organizations running internet-facing ShareFile infrastructure, this is the kind of issue that deserves immediate attention. File-sharing platforms often sit close to sensitive business data, and a pre-authentication compromise path can quickly turn a single exposed server into a much larger risk

What Are CVE-2026-2699 and CVE-2026-2701 in Progress ShareFile?

CVE-2026-2699 (CVSS score of 9.8) is an authentication bypass vulnerability. Public descriptions indicate that an unauthenticated attacker can reach restricted configuration functionality in affected customer-managed deployments. That access can then open the door to more serious actions.

Details of CVE-2026-2699 (SOCRadar Vulnerability Intelligence)

CVE-2026-2701 (CVSS score of 9.1) is the remote code execution side of the chain. On its own, the flaw is serious, but its impact becomes much greater when paired with the authentication bypass. watchTowr reported that both vulnerabilities were present in StorageCenter_5.12.3 and were fixed in 5.12.4.

Details of CVE-2026-2701 (SOCRadar Vulnerability Intelligence)

This combination is what makes the incident stand out. It is not just a misconfiguration issue or a limited admin feature weakness. It is a chain that can move from unauthenticated access to server-side compromise.

Which ShareFile Deployments Are Affected?

The affected component is the customer-managed Storage Zones Controller in the 5.x branch. Public reporting and vendor-linked advisories indicate that versions prior to 5.12.4 are affected.

That distinction matters because not all ShareFile deployments use the same architecture. ShareFile has different branches and deployment models, and the disclosed chain is specific to the older IIS-hosted 5.x Storage Zones Controller path. That means the most urgent priority is not every ShareFile user everywhere, but organizations that run customer-managed SZC 5.x systems, especially if those systems are reachable from the internet.

These deployments often exist because organizations want more control over storage location, compliance, or data handling. That can also make them more sensitive targets once a pre-authentication server-side exploit becomes public.

How Does the Progress ShareFile Pre-Auth RCE Chain Work?

At a high level, the chain starts with authentication bypass and ends with code execution.

The first issue gives an attacker a way to get past access restrictions. The second turns that foothold into a route for server compromise. Public descriptions of the attack path say exploitation can abuse ShareFile’s upload and extraction behavior to place a malicious ASPX webshell into a web-accessible path.

watchTowr tied the authentication bypass to HTTP redirect handling, and public weakness mappings around CVE-2026-2699 point to improper access control and execution after redirect conditions. In practical terms, that means the first flaw is not just a way to peek at restricted pages. In the disclosed chain, it becomes the entry point that makes remote code execution possible.

For defenders, that is the important takeaway. Once the authentication barrier falls, the exposed ShareFile server may no longer be just a vulnerable application. It can become a remotely controlled foothold.

Why Is This ShareFile RCE Chain So Serious?

The biggest reason is simple: the chain is pre-authentication. Attackers do not need valid credentials to start.

That alone raises urgency, but the target type makes it more serious. File transfer and collaboration platforms are attractive targets because they often sit on the internet edge, handle valuable documents, and connect to sensitive internal workflows. A compromise in this layer can expose far more than the application itself.

Another factor is timing. Once technical details and proof-of-concept material become public, opportunistic scanning often follows quickly. Even if a vendor has already released a patch, exposed systems tend to stay online longer than security teams expect.

For organizations with internet-facing Storage Zones Controller systems, this is not the kind of vulnerability to leave for a routine patch window.

Is There Evidence of Active Exploitation?

As of the cited advisories, Progress had not confirmed in-the-wild exploitation. That said, defenders should not take too much comfort from that.

watchTowr publicly released technical details and proof-of-concept material, which changes the risk picture immediately. Once a working pre-auth RCE chain becomes widely available, the gap between disclosure and real-world abuse can become very short. Even without confirmed mass exploitation, the exposure level is high enough to justify urgent action.

What Should Organizations Do Right Now?

The first step is clear. If you run an affected Progress ShareFile Storage Zones Controller 5.x deployment, upgrade to 5.12.4 or later as quickly as possible.

Patching should be followed by exposure review. Security teams should identify whether any customer-managed ShareFile servers are internet-facing, validate their current version, and review whether those systems were left exposed after the vendor fix became available.

Teams should also look for signs of suspicious activity tied to the disclosed attack path. That includes unexpected ASPX files in web-accessible locations, unusual upload behavior, and unexpected changes in the application environment that could indicate webshell placement or follow-on access.

If a vulnerable server was exposed publicly, do not limit the response to patching alone. Review logs, inspect file paths associated with uploads and extraction, and assess whether the server should be treated as potentially compromised.

Strengthen Visibility Across Threats and Exposure

SOCRadar’s Attack Surface Management, Company Vulnerabilities

For organizations responding to critical flaws, platforms such as SOCRadar Vulnerability Intelligence and Attack Surface Management can help bring additional context to the process. By combining vulnerability prioritization with visibility into exposed assets, security teams can better understand which issues are most urgent, identify where affected systems are internet-facing, and support faster, more informed remediation decisions.

Why This Matters Beyond ShareFile Alone

This incident is another reminder that customer-managed file-sharing infrastructure remains a high-value target. Organizations often deploy these systems for good reasons such as performance, control, or compliance, but those same reasons can make them more sensitive when a serious flaw appears.

A public pre-auth RCE chain against a system that may sit close to document workflows, regulated data, and external access paths creates immediate risk. That is why this issue should be treated as more than just another product update. For affected organizations, it is a direct exposure-management problem.

The main priority is straightforward: find exposed ShareFile Storage Zones Controller 5.x systems, confirm whether they are running a vulnerable version, apply the ShareFile 5.12.4 patch, and investigate for signs of compromise where exposure existed.