Pre-auth RCE chain fixed in ShareFile Storage Zones Controller

TL;DR — Critical ShareFile Storage Zones Controller v5 flaws allow unauthenticated access to restricted configuration pages and can be chained into remote code execution in customer-managed deployments.

What happened

ShareFile Storage Zones Controller (SZC) is the customer-managed/on-prem component used to host ShareFile data in an organization’s own storage while still integrating with ShareFile’s service.

Progress published a critical security notice covering two vulnerabilities affecting ShareFile Storage Zones Controller v5 deployments:

• CVE-2026-2699: an Execution After Redirect (EAR) issue that can allow an unauthenticated attacker to access restricted configuration pages, leading to configuration changes and potentially enabling follow-on compromise.
• CVE-2026-2701: an issue where an authenticated user can upload a malicious file and execute it, leading to remote code execution.

Progress states it has not received reports of exploitation at the time of publication.

watchTowr Labs published technical research the same day describing how these issues can be chained into pre-authenticated RCE against SZC 5.x, reinforcing that this is not a “theoretical” class of bug for internet-facing file-transfer infrastructure.

Who is impacted

• Organizations running Progress ShareFile Storage Zones Controller v5.x for customer-managed zones.
• Highest risk environments are those that expose SZC administration/configuration surfaces to untrusted networks.

Notes:

• CVE-2026-2699 is scored CVSS v3.1 9.8 (Critical) in the CVE record.
• CVE-2026-2701 is scored CVSS v3.1 9.1 (Critical) in the CVE record (with PR:H, but can become pre-auth when chained with CVE-2026-2699 per public research).

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.

  • "We strongly recommend customers upgrading to latest v5 patch version v5.12.4 or customers can upgrade to any v6 version as V6 versions are not impacted by these vulnerabilities."

• If you cannot upgrade immediately, apply the vendor-provided hardening guidance for the admin/config pages:

  • "Harden the Storage Zones Controller access using IIS or use a firewall to block network access to the Storage Zones Controller administration pages from untrusted sources."

• Treat this as a potential appliance-style compromise path: if you suspect exposure, review for unexpected configuration changes and follow your incident response process (including credential/secret rotation relevant to SZC).
• For environments concerned about abuse of the RCE path, use the vendor-provided operational guidance from the CVE record:

  • "Reset the secret and password using custom tool provided by ShareFile"

Additional Information

• Vendor security notice (this item): https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26
• CVE records: https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/2xxx/CVE-2026-2699.json, https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/2xxx/CVE-2026-2701.json
• Technical research (exploit chain details): https://labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/
• Coverage: https://www.bleepingcomputer.com/news/security/new-progress-sharefile-flaws-can-be-chained-in-pre-auth-rce-attacks/