**Progress ShareFile**, a document sharing and collaboration product popular among large and mid-sized companies, is facing scrutiny after the discovery of two critical vulnerabilities. These flaws could allow attackers to bypass authentication and remotely execute code, potentially leading to sensitive data exfiltration. Such file-sharing solutions have become prime targets for ransomware groups, as seen with previous attacks exploiting vulnerabilities in solutions like **Accellion FTA**, **SolarWinds Serv-U**, **Gladinet CentreStack**, **GoAnywhere MFT**, **MOVEit Transfer**, and **Cleo**. ### Vulnerability Details Researchers at **watchTowr** identified an authentication bypass (**CVE-2026-2699**) and a remote code execution vulnerability (**CVE-2026-2701**) within the Storage Zones Controller (SZC) component of Progress ShareFile, specifically in the 5.x branch. The SZC component allows customers to maintain greater control over their data by storing it on their own infrastructure or a third-party cloud provider, rather than solely on Progress systems. Following responsible disclosure by **watchTowr**, **Progress** addressed these vulnerabilities in ShareFile version 5.12.4, released on March 10th. ### Attack Chain Explained According to **watchTowr**'s detailed report, the attack begins by exploiting **CVE-2026-2699**, the authentication bypass. This flaw grants unauthorized access to the ShareFile admin interface due to improper handling of HTTP redirects. Once inside the admin panel, an attacker can manipulate Storage Zone configuration settings, including critical file storage paths and security-sensitive parameters such as the zone passphrase and related secrets. The second vulnerability, **CVE-2026-2701**, enables remote code execution. Attackers can leverage file upload and extraction functionalities to deploy malicious ASPX webshells within the application's webroot. The researchers emphasized that successful exploitation requires generating valid HMAC signatures and decrypting internal secrets. These actions become feasible after exploiting **CVE-2026-2699**, which allows attackers to set or control passphrase-related values.  ### Impact and Exposure **watchTowr**'s scans indicate approximately 30,000 Storage Zone Controller instances are exposed to the public internet. The **ShadowServer Foundation** currently monitors around 700 internet-exposed **Progress ShareFile** instances, primarily located in the United States and Europe. **watchTowr** reported the vulnerabilities to **Progress** between February 6th and 13th, with the full exploit chain confirmed on February 18th for Progress ShareFile 5.12.4. **Progress** released security updates in version 5.12.4 on March 10th. While there are no reports of active exploitation in the wild at the time of writing, organizations using vulnerable versions of ShareFile Storage Zone Controller are strongly urged to apply the patch immediately. The public disclosure of this exploit chain is likely to attract malicious actors.