Full Report
Multiple vulnerabilities have been discovered in Progress ShareFile, which when chained together, could allow for remote code execution. Progress ShareFile is a secure, cloud-based content collaboration and file-sharing platform. It enables businesses to securely exchange documents, manage client workflows, and obtain electronic signatures, with a focus on compliance for industries like finance and healthcare. Successful exploitation of the vulnerabilities when chained together could allow attackers to abuse the file upload and extraction functionality to place malicious ASPX webshells in the application’s webroot.
Analysis Summary
# Vulnerability: Progress ShareFile Pre-Auth Remote Code Execution Chain
## CVE Details
- **CVE ID:** CVE-2026-2699 and CVE-2026-2701
- **CVSS Score:** Not explicitly listed in text, but categorized as **HIGH Risk** for Government and Business entities.
- **CWE:** Improper handling of HTTP redirects (CVE-2026-2699); Improper Limitation of a Pathname to a Restricted Directory / File Upload Vulnerability (CVE-2026-2701).
## Affected Systems
- **Products:** Progress ShareFile (specifically the Storage Zones Controller component).
- **Versions:** All versions prior to 5.12.4.
- **Configurations:** Systems utilizing the Storage Zones Controller (SZC) for file-sharing and content collaboration.
## Vulnerability Description
This advisory concerns a vulnerability chain involving two primary flaws:
1. **CVE-2026-2699:** An **authentication bypass** in the Storage Zones Controller (SZC) caused by improper handling of HTTP redirects. This allows an unauthorized user to access the ShareFile admin interface.
2. **CVE-2026-2701:** A **Remote Code Execution (RCE)** flaw within the SZC. By abusing file upload and extraction functionality, an attacker can bypass security restrictions to place malicious ASPX webshells directly into the application’s webroot.
When chained, these vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary code on the underlying server.
## Exploitation
- **Status:** PoC available. Public Proof of Concept code and a demonstration were released by watchTowr labs.
- **Complexity:** Medium (requires chaining two specific flaws).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Full access to documents and file-sharing environment).
- **Integrity:** High (Ability to upload webshells and modify application files).
- **Availability:** High (Potential for full server takeover).
## Remediation
### Patches
- **Progress ShareFile 5.12.4:** All users should update to this version or subsequent releases immediately to mitigate both CVEs.
### Workarounds
- No specific software workarounds were provided in the advisory; immediate patching is recommended.
- **General Mitigation:** Enable anti-exploitation features such as Microsoft Data Execution Prevention (DEP) and Windows Defender Exploit Guard (WDEG).
## Detection
- **Indicators of Compromise:**
- Presence of unexpected `.aspx` files in the ShareFile webroot.
- Unusual HTTP redirect patterns in web server logs originating from the Storage Zones Controller.
- **Detection methods and tools:**
- Perform automated vulnerability scans using SCAP-compliant tools.
- Conduct external penetration testing to verify the accessibility of the SZC admin interface.
## References
- **Vendor Advisories:** Progress Software (via MS-ISAC Advisory 2026-030)
- **CVE-2026-2699:** hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-2699
- **CVE-2026-2701:** hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-2701
- **watchTowr Analysis:** hxxps://labs[.]watchtowr[.]com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/