💻 AppSec

Progress ShareFile Pre-Auth RCE Chain Puts 30,000 Exposed Servers at Risk — Patch to 5.12.4

Researchers at watchTowr Labs have disclosed a two-vulnerability chain in Progress ShareFile Storage Zones Controller that enables unauthenticated remote code execution via webshell upload. Approximately 30,000 Storage Zone Controller instances are internet-exposed and remain at risk if not patched to version 5.12.4, which was released on 10 March 2026 before full public disclosure of the attack path.

3 min read
#sharefile#progress#rce#pre-auth#webshell#auth-bypass#file-upload#vulnerability-chain

Two critical vulnerabilities in Progress ShareFile’s Storage Zones Controller (SZC), tracked as CVE-2026-2699 and CVE-2026-2701, can be chained by an unauthenticated attacker to achieve remote code execution on any exposed server running the affected software. watchTowr Labs published the full technical analysis on 2 April 2026 following coordinated disclosure with Progress, which had shipped the fix in version 5.12.4 on 10 March. The gap between the silent patch and the public writeup has now closed, and organisations that delayed upgrading face immediate risk.

The Attack Chain

The first vulnerability, CVE-2026-2699, is an authentication bypass caused by improper handling of execution-after-redirect behaviour in the /ConfigService/Admin.aspx endpoint. By exploiting the redirect logic, an unauthenticated attacker can access restricted administrative functions of the Storage Zones Controller without supplying valid credentials.

The second vulnerability, CVE-2026-2701, is an arbitrary file upload and extraction flaw that, when reached from an administrative session, allows an attacker to upload malicious archive content and have it extracted into a web-accessible directory on the server.

Chaining the two is straightforward: CVE-2026-2699 provides unauthenticated access to the administrative file upload functionality; CVE-2026-2701 allows a malicious ASPX webshell to be placed in a location the IIS web server will execute. Once the webshell is in place, the attacker has operating-system-level command execution on the server.

Scale of Exposure

watchTowr’s internet-wide scanning identified approximately 30,000 Storage Zone Controller instances with publicly reachable management interfaces. Progress ShareFile is heavily deployed in professional services, legal, financial services, and healthcare sectors — environments where the confidentiality of managed file transfers is business-critical and regulatory obligations apply. A compromised SZC gives an attacker access to all files stored within that zone and a pivot point into the broader corporate network.

This is not the first time Progress’s file transfer software has attracted serious attention. The MOVEit Transfer mass exploitation campaign in 2023 affected hundreds of organisations globally and led to widespread data theft. Threat actors targeting Progress software have historically moved quickly once technical details are public.

Why the Timing Is Dangerous

Progress released version 5.12.4 on 10 March without detailed public disclosure of the vulnerability classes involved. Many organisations running SZC would have assessed this as a routine maintenance update and deprioritised it. The watchTowr publication from 2 April changes the risk calculus entirely: any motivated threat actor can now construct a working exploit from the published technical analysis. The window between “silent patch” and “public PoC” is closed.

Security teams that have not upgraded Storage Zones Controller since 10 March should escalate this to critical priority and treat potentially exposed servers as compromised pending investigation.

  • Upgrade Storage Zones Controller to version 5.12.4 immediately. Any server running StorageCenter_5.12.3 or earlier is vulnerable to the complete pre-auth RCE chain.
  • Audit internet exposure of the SZC management interface. If /ConfigService/Admin.aspx is reachable from the public internet, restrict it to known management IP ranges at the firewall or reverse proxy immediately — regardless of patching status.
  • Review IIS logs on all SZC servers for anomalous POST requests to /ConfigService/Admin.aspx from any unexpected source, going back to at least 10 March.
  • Inspect the IIS web root and upload directories for unexpected ASPX files. Any unrecognised .aspx file warrants immediate investigation and should be treated as a potential webshell.
  • Audit managed files for signs of exfiltration. Review access logs for the Storage Zone for unusual download activity, particularly of bulk or highly sensitive content.
  • Consider a full compromise assessment if your SZC server was unpatched and internet-facing between 10 March and the date of your upgrade.