Safety researchers at watchTowr Labs have disclosed a crucial exploit chain within the Progress ShareFile Storage Zone Controller.
The vulnerabilities, tracked as CVE-2026-2699 and CVE-2026-2701, allow unauthenticated attackers to attain Distant Code Execution (RCE) and fully compromise weak servers.
With roughly 30,000 situations uncovered to the general public web, organizations are urged to patch instantly to forestall catastrophic information breaches.
Managed file switch (MFT) options stay a prime goal for superior persistent menace (APT) teams and ransomware syndicates.
Following historic breaches involving instruments like MOVEit, Cleo Concord, and GoAnywhere, menace actors repeatedly hunt for unpatched data-sharing gateways.
These newly uncovered ShareFile flaws current a extremely profitable alternative for attackers trying to infiltrate company networks and siphon delicate mental property.
The Goal: Storage Zone Controller
Whereas Progress ShareFile operates a well-liked SaaS platform, many enterprises make the most of the on-premises Storage Zone Controller to take care of information sovereignty and regulatory compliance.
This software program acts as a customer-managed gateway, permitting organizations to maintain information on native community shares or non-public cloud buckets whereas nonetheless using the primary ShareFile internet interface.
The newly found vulnerabilities reside solely inside this self-hosted utility.
CVE-2026-2699: Bypassing Authentication
The assault sequence begins with an authentication bypass within the administrator configuration panel (/ConfigService/Admin.aspx).
When an unauthenticated person requests this endpoint, the applying points an HTTP 302 redirect, pointing the person to a safe login web page.
Nonetheless, researchers found a deadly coding error within the underlying C# codebase. The builders handed a false boolean flag to the .Redirect() operate.
This particular flag instructs the server not to terminate the web page’s execution after sending the redirect command.
Generally known as an “Execution After Redirect” (EAR) vulnerability, this enables an attacker to easily intercept the HTTP response, drop the Location header, and cargo the absolutely useful admin panel, no credentials required.
CVE-2026-2701: Reaching Distant Code Execution
With administrative entry secured, the attacker can exploit the second vulnerability to execute malicious code.
The Storage Zone Controller permits directors to configure a “Community Share Location” for person uploads.
Whereas the applying assessments the offered path to make sure it has learn and write permissions, it fully fails to validate whether or not the trail is a authentic, protected storage listing.
Attackers can exploit this oversight by reconfiguring the storage vacation spot to level straight into the applying’s public webroot (C:inetpubwwwrootShareFileStorageCenterdocumentum).
As soon as the trail is modified, the attacker can add a malicious ASPX internet shell disguised as an ordinary file.
By navigating to that uploaded script of their browser, the attacker features full, unauthorized distant management over the server.
These vulnerabilities particularly affect Department 5.x of the ShareFile Storage Zone Controller, which is constructed on ASP.NET.
The failings had been confirmed by WatchTowr Labs in model 5.12.3. Progress addressed each vulnerabilities in model 5.12.4, which was quietly rolled out to clients on March 10, 2026.
Safety groups should instantly improve their Storage Zone Controllers to model 5.12.4 or later.
Moreover, defenders ought to monitor internet server logs for anomalous requests to configuration endpoints, examine the webroot for sudden ASPX information, and make sure that on-premises file gateways are shielded behind sturdy firewalls wherever potential.
Comply with us on Google Information, LinkedIn, and X to Get Prompt Updates and Set GBH as a Most popular Supply in Google.
