Security Intelligence
Loading table of contents...
At a glance: Chained vulnerabilities in Progress ShareFile Storage Zones Controller (SZC) allow unauthenticated attackers to bypass authentication and achieve full remote code execution. By exploiting an authentication bypass to access restricted configuration and generate trusted cryptographic material, adversaries can then leverage a file upload flaw to execute malicious code—leading to administrative control, data exposure, and potential system-wide compromise.
Threat summary
On April 2, 2026, researchers published proof-of-concept (POC) code and technical analysis demonstrating that two vulnerabilities in the Progress ShareFile Storage Zones Controller (SZC) can be chained to achieve pre-authentication compromise.
SZC is a customer-managed component that enables organizations to store files on-premises or in cloud environments while using ShareFile’s interface for access and collaboration. The controller manages authentication, file transfers, and storage configuration.
The two vulnerabilities are:
- CVE-2026-2699, which is an authentication bypass that allows an unauthenticated adversary to access restricted configuration pages. It carries a CVSS score of 9.8 out of 10.
- CVE-2026-2701, which allows an authenticated user to upload a malicious file and execute it on the server, with a CVSS score of 9.1.
When chained, these vulnerabilities enable an unauthenticated remote adversary to gain administrative access, modify system configuration, and achieve remote code execution.
The exploit chain becomes viable once CVE‑2026‑2699 is used to bypass authentication. At that point, an adversary can alter passphrase‑related values, generate trusted cryptographic signatures, and decrypt internal secrets that normally protect administrative operations. With this access, the adversary can then leverage CVE‑2026‑2701 to introduce malicious content into the system in a way that grants full remote code execution. The resulting exposure includes unauthorized access to sensitive data, potential exfiltration of files, and complete compromise of the affected system.
The worst-case scenario involves persistent control of SZC, redirection of file storage to attacker-controlled infrastructure, and use of the compromised controller as a pivot point for lateral movement.
Progress Software released fixes earlier this year to address the vulnerabilities. Both affect the 5.x branch up to and including version 5.12.3; the 6.x branch is not impacted.
Analysis
From a risk management standpoint, SZC sits in the same category as other customer-managed file-handling systems that have been at the center of major breaches, including MOVEit Transfer, Accellion FTA, and GoAnywhere MFT.
As seen in these incidents, such systems often handle sensitive data and are frequently exposed to the internet to support business operations, which makes them attractive targets when vulnerabilities emerge.
While there is no indication that the SZC flaws are being exploited, the similarities in how these systems operate place them in a higher-risk class that benefits from fast patching and close monitoring of any externally accessible deployments.
Organizations using SZC 5.x (≤5.12.3) are affected, and applying version 5.12.4 update across all affected SZC instances is the primary remediation. Organizations can also review administrative access logs, validate Storage Zone configuration integrity, and assess for unauthorized file uploads or unexpected ASPX files in the webroot.
Additional recommendations include limiting network exposure of SZC, enforcing segmentation for file transfer infrastructure, and maintaining continuous vulnerability management processes to reduce exposure windows for future flaws.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
