Progress ShareFile Storage Zone Controller Pre-Auth RCE Chain (CVE-2026-2699 & CVE-2026-2701)
WatchTowr researchers disclosed a pre-authenticated remote code execution chain in Progress ShareFile's on-premises Storage Zone Controller, affecting roughly 30,000 internet-facing instances.
WatchTowr Labs has disclosed a critical vulnerability chain in Progress ShareFile's on-premises Storage Zone Controller that allows unauthenticated attackers to achieve full remote code execution. The chain combines CVE-2026-2699, an authentication bypass, and CVE-2026-2701, a remote code execution flaw, affecting version 5.x prior to 5.12.4. Progress released patches on March 10, 2026, but with approximately 30,000 internet-facing instances, the attack surface remains significant.
The vulnerabilities reside in the Storage Zone Controller, a customer-managed gateway that keeps files in local or cloud storage while integrating with ShareFile's SaaS interface. The component is hosted on IIS and uses ASP.NET for branch 5.x. WatchTowr researchers focused on version StorageCenter_5.12.3, the latest at the time of research, and identified the flaws by decompiling the application's DLLs and analyzing script files and REST endpoints.
CVE-2026-2699 enables authentication bypass, allowing an unauthenticated attacker to access protected endpoints without valid credentials. This bypass then sets the stage for CVE-2026-2701, which provides remote code execution on the IIS server. The attack chain does not require any prior access, making it particularly dangerous for exposed instances.
The vulnerabilities are specific to branch 5.x of the Storage Zone Controller, which uses ASP.NET. Branch 6.x, built on .NET Core, is not affected by these particular flaws. However, the researchers noted that their investigation covered both branches, and further issues may exist in the newer codebase.
Progress addressed the vulnerabilities in version 5.12.4, released to customers on March 10, 2026. Administrators running affected versions are urged to update immediately. Given the historical pattern of file transfer solutions being targeted by ransomware gangs and APT groups—such as the MOVEit breach in 2023 and Cleo compromises in 2024—timely patching is critical.
The disclosure comes amid a broader trend of file transfer and storage solutions being heavily scrutinized by both researchers and attackers. The CISA Known Exploited Vulnerabilities catalog frequently includes flaws in such products. While no active exploitation has been confirmed yet, the availability of technical details from WatchTowr's report increases the likelihood of attacks.
Organizations using Progress ShareFile's on-premises Storage Zone Controller should verify their version, apply the 5.12.4 patch, and consider restricting internet-facing access to the management interface where possible. The vulnerabilities serve as a reminder that hybrid SaaS/on-premises architectures can introduce complex attack surfaces that require diligent monitoring and rapid patch management.