Full Report
Two vulnerabilities in Progress ShareFile, an enterprise-grade secure file transfer solution, can be chained to enable unauthenticated file exfiltration from affected environments. [...]
Analysis Summary
# Vulnerability: Progress ShareFile Authentication Bypass and RCE Chain
## CVE Details
* **CVE ID:** CVE-2026-2699 (Auth Bypass) and CVE-2026-2701 (RCE)
* **CVSS Score:** Not explicitly listed (Estimated Critical 9.8+ based on pre-auth RCE chain)
* **CWE:** Improper Handling of HTTP Redirects (CVE-2026-2699); Improper File Upload/Extraction (CVE-2026-2701)
## Affected Systems
* **Products:** Progress ShareFile Storage Zones Controller (SZC)
* **Versions:** Branch 5.x (Versions prior to 5.12.4)
* **Configurations:** On-premises or third-party cloud deployments utilizing the Storage Zones Controller component.
## Vulnerability Description
The flaw consists of a two-stage exploit chain targeting the Storage Zones Controller:
1. **CVE-2026-2699 (Authentication Bypass):** Due to improper handling of HTTP redirects, an unauthenticated attacker can bypass security checks to access the ShareFile administrative interface. This allows the attacker to modify critical configuration settings, such as file storage paths and security-sensitive secrets (zone passphrases).
2. **CVE-2026-2701 (Remote Code Execution):** By leveraging the control gained from the first flaw, an attacker can manipulate file upload and extraction functions. This facilitates the placement of malicious ASPX webshells into the application’s webroot, leading to full remote code execution under the context of the server.
## Exploitation
* **Status:** PoC developed by researchers; no active exploitation in the wild observed *at the time of reporting*.
* **Complexity:** Medium (Requires generating valid HMAC signatures and extracting internal secrets, though this is facilitated by the first CVE).
* **Attack Vector:** Network (Remote)
## Impact
* **Confidentiality:** High (Unauthenticated file exfiltration and access to sensitive secrets)
* **Integrity:** High (Ability to modify configurations and upload malicious webshells)
* **Availability:** High (Potential for full system takeover and service disruption)
## Remediation
### Patches
* **Progress ShareFile 5.12.4:** Released on March 10. Users must update to this version or later to mitigate both vulnerabilities.
### Workarounds
* No specific workarounds were provided in the article. The primary recommendation is an immediate upgrade to the patched version.
## Detection
* **Indicators of Compromise:**
* Unexpected modifications to Storage Zone configuration settings.
* Presence of unauthorized ASPX files in the webroot directory.
* Logs showing unusual HTTP redirect patterns or unauthorized access to administrative endpoints.
* **Detection methods and tools:**
* Monitoring for internet-exposed Storage Zone Controller instances (ShadowServer currently tracks approximately 700 exposed instances).
## References
* Vendor Advisory: [Progress ShareFile Official Site]
* Researcher Analysis: hxxp[://]labs[.]watchtowr[.]com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/
* ShadowServer Statistics: hxxps[://]dashboard[.]shadowserver[.]org/statistics/iot-devices/time-series/?date_range=7&vendor=progress&model=sharefile&dataset=count&limit=100&group_by=geo&stacking=stacked&auto_update=on