Latest Progress ShareFile vulnerabilities: CVE-2026-2699, and CVE-2026-2701 #
Progress Software disclosed two vulnerabilities in 5.x versions of customer-managed ShareFile Storage Zones Controller (SZC).
- CVE-2026-2699: Allows a remote, unauthenticated adversary to access restricted configuration pages. This could lead to unauthorized system configuration changes and potential Remote Code Execution (RCE) resulting from an Execution After Redirect (EAR) vulnerability. This vulnerability has been designated CVE-2026-2699 and has been rated critical with a CVSS score of 9.8.
- CVE-2026-2701: Allows a remote, high-privileged user to upload a malicious file to the server and execute it to achieve RCE. This vulnerability has been designated CVE-2026-2701 and has been rated critical with a CVSS score of 9.1.
The following versions are affected:
- ShareFile Storage Zones Controller 5.x versions prior to 5.12.4
What is Progress ShareFile Storage Zones Controller? #
Progress ShareFile Storage Zones Controller is a software application that enables organizations to store their ShareFile data on-premises or in a private cloud infrastructure, rather than using the default ShareFile cloud storage.
What is the impact? #
Successful exploitation of these vulnerabilities would allow an adversary to execute arbitrary code on the vulnerable host, potentially leading to complete system compromise.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- ShareFile Storage Zones Controller 5.x: Upgrade to version 5.12.4 or later.
- Alternative: Users on version 5.x may also upgrade to any v6 version, as all v6 versions are unaffected by these
vulnerabilities.
How to find potentially vulnerable systems with runZero #
From the Software Inventory, use the following query to locate potentially impacted assets:
(vendor:="Progress Software" OR vendor:=Citrix OR vendor:=ShareFile) AND
(product:="ShareFile Storage Zones Controller" OR product:="ShareFile StorageZones Controller")
