CRITICAL: Progress Orders ShareFile Customers to Shut Down Storage Zone Controllers Over Credible Threat
Progress ordered ShareFile customers to shut down the Windows servers running their Storage Zone Controllers on July 10, 2026, over a credible but undisclosed threat. The move follows April's chainable pre-authentication flaws CVE-2026-2699 (CVSS 9.8) and CVE-2026-2701 (CVSS 9.1), which allow unauthenticated remote code execution on internet-facing controllers.
If you have run a security team for any length of time, you know the difference between a vendor advisory that says please patch at your convenience and one that says turn the machine off, right now, and walk away from it. Progress Software just sent ShareFile customers the second kind. On July 10, 2026, the company told organizations running its Storage Zone Controllers to manually shut down the Windows servers hosting them, calling it a critical additional step to ensure the safety of their data. Progress did not suggest scheduling the work for a convenient maintenance window. It asked people to do it immediately, and it went ahead and disabled access to ShareFile accounts tied to those controllers from its own side.
That is not the language of routine housekeeping. That is the language of a company that has seen something it does not like and would rather everyone be dark while it figures out how bad the something actually is. Advisories that tell you to power a production system off are rare precisely because vendors understand the outage they are causing. When one arrives, the smart move is to assume the vendor knows more than it is saying and act accordingly.
The frustrating part is that Progress has not said what the threat is. The advisory became public the way these things often do now, when an exasperated administrator posted the company's email to the r/sysadmin subreddit and the rest of the industry noticed within the hour. By 12:12 in the afternoon Eastern time that same day, Progress had updated its own status page to list Storage Zone Controller customers as not operational. The company stated plainly that it currently has no indication of unauthorized access to any ShareFile accounts or data, that it is working with internal and external cybersecurity experts, and that it would deliver another update within twenty four hours. What it pointedly has not done is name a CVE, describe the vulnerability, or hint at who might be behind the threat. For defenders, that silence is its own kind of signal.
For anyone who watched the MOVEit disaster unfold in 2023, the shape of this feels uncomfortably familiar, and not by accident. Progress is the same vendor whose MOVEit Transfer product became the single most productive mass exploitation event of that year, after the Clop ransomware crew turned one SQL injection flaw into thousands of downstream victims across governments, banks, and airlines. Managed file transfer and file sharing platforms are catnip for attackers because they sit at the edge of the network, they are reachable from the internet by design, and they are stuffed with exactly the sort of data that makes an extortion demand land with a thud on an executive's desk.
Storage Zone Controller fits that profile precisely. It is the on premises server component that lets a company keep its files on its own storage while still using ShareFile's cloud to manage and share them. In plain terms it is an internet facing Windows box that brokers access to a business's documents, which is roughly the last thing you want sitting exposed the moment a vendor starts telling you to unplug it.
The context that makes this worse is what researchers already found earlier in the year. In April 2026, the team at watchTowr disclosed two critical vulnerabilities in the very same Storage Zone Controller product. The first, tracked as CVE-2026-2699, is an authentication bypass carrying a CVSS score of 9.8. It lets an unauthenticated attacker reach restricted configuration pages, alter the system configuration, and ultimately run code remotely. The full vector, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reads like a worst case checklist that someone filled in without ever ticking the reassuring box. Network reachable, low complexity, no privileges required, no user interaction, and total compromise of confidentiality, integrity, and availability. The second flaw, CVE-2026-2701, scored 9.1 and supplied the remote code execution piece. Chained together the two allowed an unauthenticated attacker to walk up to an exposed controller, reach configuration pages that should have been locked behind a login, and upload a malicious ASPX webshell for full pre authentication code execution without ever presenting a credential.
Progress had actually shipped fixes for those two bugs back in March, ahead of the public disclosure, and a working proof of concept from the watchTowr researchers now lives in a public GitHub repository. Exploitation of CVE-2026-2699 in the wild has since been reported. To be scrupulously fair, Progress has explicitly not connected the current July shutdown to either April flaw, and the company maintains it has no evidence of a breach. Even so, the industry is right to feel a chill about a pattern where a patched pre authentication remote code execution bug with public exploit code exists, real world exploitation gets observed, and then a few months later the same vendor tells everyone to yank the same product offline over a threat it will not describe.
The history rhymes further back too. In 2023, while Storage Zones Controller was still under Citrix ownership, attackers hammered CVE-2023-24489, another unauthenticated flaw, badly enough that CISA added it to its Known Exploited Vulnerabilities catalog and set a federal remediation clock. This product line has a track record, and it is not a flattering one.
So what do you actually do while Progress works out its story. If you run Storage Zone Controllers on premises, the first move is the one the vendor already handed you, which is to shut down the hosting Windows servers until there is clearer guidance and, presumably, a definitive fix or an all clear. Yes, that means an outage. An outage you choose and control is infinitely preferable to an incident you discover after the fact, and it beats reading about your own downtime on a forum thread.
Beyond the immediate shutdown, the standing guidance for the known April vulnerabilities is to be on a supported and fully patched release. Progress recommends running version 5.12.4 or later on the 5.x line, or moving to any 6.x release to pick up the accumulated fixes from earlier in the year. If your controllers have been idling on an older 5.x build, you were exposed to CVE-2026-2699 and CVE-2026-2701 regardless of whatever the July threat turns out to be, and you should be treating those boxes as suspect rather than merely outdated.
On the detection side, this is an excellent week to go spelunking through your IIS and ShareFile logs. Look for unexpected ASPX files written into the web directories of the controller, because that is the calling card of a webshell drop. Watch for requests to configuration endpoints that should never be reachable without authentication, and for any process spawning out of the IIS worker that resembles command execution. If you have endpoint detection on those servers, and you absolutely should, hunt for w3wp.exe giving birth to cmd.exe or powershell.exe, which is almost never a legitimate event on a file sharing appliance. Above all, preserve the disks before you rebuild anything, because if this does harden into a confirmed intrusion you will want the forensic artifacts far more than you want a freshly imaged machine that can tell you nothing about what happened.
There is a real business lesson buried in the panic. An event like this is the difference between a client who trusts their provider and one who first learns about their own outage from strangers on Reddit. The managed service providers who look competent this week are the ones who already knew which of their clients ran ShareFile Storage Zone Controllers, reached out before the customer heard it anywhere else, and had those servers offline within the hour. That inventory, the simple ability to answer which of my clients is exposed to this vendor in minutes rather than days, is a service worth selling on its own. Package continuous attack surface monitoring and internet facing asset discovery as a monthly retainer, point directly at this exact scenario as the reason it exists, and a frightening vendor advisory quietly becomes a renewal conversation.
References
- NVD CVE-2026-2699
https://nvd.nist.gov/vuln/detail/CVE-2026-2699
- The Hacker News: Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers
https://thehackernews.com/2026/07/urgent-progress-tells-sharefile.html
- BleepingComputer: Progress Urges ShareFile Admins to Shut Down Servers
https://www.bleepingcomputer.com/news/security/progress-urges-sharefile-customers-to-shut-down-servers-over-credible-threat/
- Progress ShareFile Security Vulnerability Guidance
https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26.html
Concerned about this threat?
Our security team can assess your exposure and recommend immediate actions.
Protect Your Organization
Find vulnerabilities like this in your systems before attackers do.
24/7 monitoring to detect and respond to threats like these in real time.
Block phishing and malware delivery targeting your organization.
Map security controls to 26 frameworks including NIST, SOC 2, and HIPAA.