Pre-Auth Attack Chain in Progress ShareFile Exposes Every File on 30,000 Servers
WatchTowr researchers disclosed two chained vulnerabilities in Progress ShareFile on April 2, 2026, that allow unauthenticated attackers to execute code and exfiltrate all files stored on affected servers. Around 30,000 instances are exposed on the public internet.
VaultTools · April 3, 2026
Photo on Unsplash
Table of Contents
- What researchers found
- How the two-flaw chain works
- The irony: built for private file storage
- Scope and patch status
- What this means for file tool choices
- Sources
What Researchers Found
On April 2, 2026, offensive security firm watchTowr published technical details of two vulnerabilities in Progress ShareFile’s Storage Zone Controller (SZC) that, when chained, allow an unauthenticated attacker to execute arbitrary code on the server and exfiltrate every file stored in the affected zone. The BleepingComputer report confirmed that no authentication is required at any stage of the attack.
The vulnerabilities, tracked as CVE-2026-2699 and CVE-2026-2701, were reported to Progress between February 6 and 13, 2026. The vendor released a patched version, SZC 5.12.4, on March 10, 2026. As of the public disclosure date, no active exploitation in the wild had been confirmed, though watchTowr noted that public disclosure of the full chain “is likely to entice threat actors.”
How the Two-Flaw Chain Works
The chain begins with CVE-2026-2699, an authentication bypass caused by an Execution After Redirect flaw in the /ConfigService/Admin.aspx endpoint. The application calls Response.Redirect() with a parameter that sets the redirect without terminating execution. As a result, the administrative interface continues to process and render its full response despite issuing a 302 redirect, granting unauthenticated access to administrative functions.
With admin access established, an attacker exploits CVE-2026-2701 to achieve remote code execution. The attack reconfigures the Storage Repository path to point toward the application’s webroot directory, then uploads a ZIP file containing an ASPX webshell via the /upload.aspx endpoint. Because file extraction preserves file extensions, the webshell lands in the webroot and becomes executable. Calculating the required HMAC-SHA256 signatures to pass validation is possible using zone secrets that become readable after the initial bypass.
The result is full control over the file storage system and the ability to read, modify, or exfiltrate any document stored in the affected zone.
The Irony: Built for Private File Storage
Progress ShareFile’s Storage Zone Controller is the component organizations deploy when they want to keep files on their own infrastructure rather than in ShareFile’s cloud. As watchTowr noted in their disclosure: “ShareFile’s Storage Zone Controller exists specifically for organisations that can’t trust their files to someone else’s infrastructure.”
The intended audience for SZC includes organizations with regulatory, legal, or policy requirements that prohibit storing sensitive files in third-party cloud environments. The vulnerability chain means that organizations using this architecture to maintain file privacy were running, for the period between discovery and patch, server infrastructure fully accessible to an unauthenticated attacker with knowledge of the flaw.
The Center for Internet Security published an advisory classifying the vulnerabilities as capable of allowing complete system compromise.
Scope and Patch Status
WatchTowr’s internet scans found approximately 30,000 Storage Zone Controller instances publicly exposed. The ShadowServer Foundation identified around 700 confirmed internet-facing instances, concentrated primarily in the United States and Europe.
The patched version, SZC 5.12.4, was released by Progress on March 10, 2026. Organizations running version 5.12.3 or earlier are vulnerable to the full pre-authenticated chain. Progress has not issued a public comment on exploitation status beyond the patch release.
What This Means for File Tool Choices
The ShareFile vulnerability illustrates the structural problem with server-side file processing for privacy-sensitive workloads: files that must not be exposed are stored on servers, servers run software, and software has flaws that can be exploited before organizations know the flaw exists.
This case is more direct than most. ShareFile SZC was specifically chosen by security-conscious organizations as the alternative to trusting a cloud provider. The attack chain requires no credentials and is executable by anyone who can reach the server. Files intended to stay private because they were kept on premise were, while the flaw was unpatched, as accessible as if they had been placed in a public bucket.
File processing that runs entirely in the browser using WebAssembly creates no server footprint. No files are stored remotely, no storage path can be reconfigured by an attacker, and no webshell can be uploaded because there is no upload endpoint to target. The ShareFile disclosure is a concrete example of what browser-side local processing avoids: an entire category of infrastructure attack that does not exist if the file never leaves the device.
Sources
- New Progress ShareFile flaws can be chained in pre-auth RCE attacks (BleepingComputer)
- You’re Not Supposed To ShareFile With Everyone (CVE-2026-2699 & CVE-2026-2701) (watchTowr Labs)
- Multiple Vulnerabilities in Progress ShareFile Could Allow for Remote Code Execution (Center for Internet Security)
- Security Vulnerability Fix For ShareFile Storage Zones Controller 5.x (February 2026) (Progress ShareFile Docs)