Researchers disclosed a pre-authenticated remote code execution chain affecting Progress ShareFile Storage Zone Controller 5.x. The chain combines CVE-2026-2699, an authentication bypass in /ConfigService/Admin.aspx caused by execution continuing after an HTTP redirect, with **CVE-2026-2701`, which allows code execution by changing the storage location to a webroot path and abusing ZIP upload-and-extract behavior to write a malicious ASPX webshell to disk. The attack can give unauthenticated attackers access to the ShareFile admin interface, enable changes to storage zone configuration and secrets, and potentially support file exfiltration from affected environments.
The issues were reported by watchTowr and fixed by Progress in ShareFile Storage Zone Controller 5.12.4. The research focused on the 5.x branch, including version 5.12.3, and highlighted substantial internet exposure: watchTowr said roughly 30,000 Storage Zone Controller instances were discoverable online, while Shadowserver observed about 700 internet-exposed Progress ShareFile systems, primarily in the United States and Europe. No active exploitation was reported at disclosure, but the publication of the exploit chain raises the risk of follow-on attacks against unpatched on-premises deployments.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Public reporting noted substantial exposure of ShareFile Storage Zone Controller systems on the internet, with watchTowr estimating roughly 30,000 discoverable instances and ShadowServer observing about 700 exposed Progress ShareFile systems. The exposed systems were reported as concentrated mainly in the United States and Europe.
watchTowr Labs publicly disclosed that CVE-2026-2699 and CVE-2026-2701 can be chained to achieve pre-authenticated remote code execution against internet-exposed on-premises ShareFile Storage Zone Controller 5.x systems. The disclosure described authentication bypass via /ConfigService/Admin.aspx and webshell placement through storage reconfiguration and ZIP extraction abuse.
Progress fixed two flaws in ShareFile Storage Zone Controller 5.x, tracked as CVE-2026-2699 and CVE-2026-2701, in version 5.12.4. The patched release was made available on 2026-03-10.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
hipaajournal.com
Open sourcecybersecuritynews.com
Open sourcescworld.com
Open sourcerunzero.com
Open sourcebleepingcomputer.com
Open sourcelabs.watchtowr.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.