CRITICAL: Progress Orders ShareFile Customers to Pull Storage Zone Controllers Offline Over Credible Threat
Progress Software has ordered ShareFile customers to manually power down the Windows servers running Storage Zone Controllers over a credible external security threat, with no patch available and no CVE disclosed. The emergency shutdown targets the same internet facing component that had a pre authentication RCE chain, CVE-2026-2699 and CVE-2026-2701, disclosed in April 2026.
If you have spent any real time defending a network, you know the particular sound a vendor makes when it is quietly panicking. It arrives as an email on a weekday evening with a subject line like "Service Disruption. Immediate Action Required," and the body reads like it was written by three lawyers and one very tired security engineer. That is exactly what landed in the inboxes of Progress Software's ShareFile customers this week, and for once the message was refreshingly blunt. Progress told customers it has reason to believe there is a credible external security threat targeting ShareFile Storage Zone Controllers, and it wants those Windows servers shut down. Not patched. Not reconfigured. Powered off and pulled from the network. When a vendor tells you to turn the machine off rather than update it, that is your signal that this one belongs firmly in the drop everything and deal with it category.
Here is what we actually know, because Progress has been careful to say very little. The company disabled ShareFile access for customers running Storage Zone Controllers and posted a status page notice at 12:12 p.m. EDT on July 10 marking those customers as not operational, with the incident listed as under investigation. The warning to customers went further than the cloud side shutdown. Progress explicitly instructed organizations to manually power down the Windows servers hosting the controllers, calling it a critical additional step to ensure the safety of your data. The unspoken translation is that cutting cloud access alone does not neutralize whatever they are worried about, which points at the on premises boxes themselves rather than the ShareFile platform. The whole thing spilled into public view when a customer, understandably rattled, posted the notification email to Reddit's r/sysadmin, and the story went from private advisory to industry headline within hours.
Notably absent from any of this is a CVE. Progress has not assigned a vulnerability identifier to the current threat, has not said whether it is a newly discovered flaw or something uglier like stolen credentials or infrastructure level compromise, and has not confirmed active exploitation in the wild. The company's phrasing, that it has no indication of unauthorized access to any ShareFile accounts or data, is the kind of careful language that reassures nobody who has read a breach disclosure before. No indication of unauthorized access is not the same thing as we checked and you are fine, and the decision to order a full shutdown instead of shipping an emergency patch tells its own story. You do not tell thousands of customers to take their file transfer infrastructure offline unless you genuinely do not yet know how to keep it safe while running.
To understand why security teams are treating this with the seriousness they are, you need the recent history of this exact component. Back in April 2026, watchTowr Labs disclosed two chainable vulnerabilities in the ShareFile Storage Zone Controller. The first, tracked as CVE-2026-2699, was an authentication bypass carrying a CVSS score of 9.8. The second, CVE-2026-2701, was a remote code execution flaw rated 9.1. Chained together, they let an unauthenticated attacker reach restricted configuration pages and upload a malicious ASPX webshell to achieve full remote code execution with no credentials whatsoever. That is about as bad as it gets for an internet facing server, and the Storage Zone Controller is exactly that. It sits at the network edge by design, bridging the ShareFile cloud with an organization's own on premises storage, which makes it operationally useful and permanently attractive to anyone scanning the internet for a way in. Progress has pointedly not connected the July incident to either April CVE, and to be fair neither of those bugs was publicly reported as exploited at the time. But when the same edge facing component that had a pre authentication RCE chain in the spring becomes the subject of an emergency shutdown in the summer, you would be forgiven for keeping a skeptical eyebrow raised.
Progress does have form here, and it is not the kind of form you want. This is the company that lived through the MOVEit Transfer catastrophe in 2023, where a single zero day was weaponized against more than 2,700 organizations and turned into one of the largest data extortion campaigns in recent memory. Storage Zone Controller itself has a checkered past too. While the product was still under Citrix ownership, CVE-2023-24489 was actively exploited and Citrix responded by disconnecting unpatched controllers from the ShareFile cloud, almost a mirror image of what Progress is doing now. History does not repeat, but it certainly rhymes, and the people who remember 2023 are the ones moving fastest this week.
So what do you actually do if you run these controllers. The first and most important thing is to comply with the shutdown order without negotiating with yourself about it. Keep the controllers offline until Progress clarifies the threat and provides explicit restart guidance, and resist the temptation to bring them back up just because business users are complaining that file sharing is down. Progress has suggested customers confirm they are running version 5.12.4 or later on the 5.x line, or any release on the 6.x line, but the company has been clear that a current version number is not a clearance certificate. Do not treat patched and up to date as a reason to restart until Progress says so directly.
Beyond the shutdown, assume the worst and hunt accordingly. Any controller that was reachable from the internet should be treated as a potential incident rather than an innocent bystander. Preserve the logs before you do anything that might rotate or overwrite them, image the server if you have the capability, and begin your incident response process rather than waiting for a formal confirmation that may never be as specific as you want. Given the April webshell technique, one of the most productive things a defender can do right now is comb the web accessible directories and storage paths for unfamiliar or recently created ASPX files, because a dropped webshell is the calling card of this exact attack pattern. Review authentication logs and outbound network connections from the controller for anything anomalous, and remember the uncomfortable truth that a server which looks clean is not the same as a server which is clean. Attackers who reach this kind of edge box know how to be quiet.
There is a broader lesson buried in this incident that goes beyond ShareFile. Edge appliances and file transfer gateways have become the favorite front door for both ransomware crews and nation state operators, precisely because they must be internet reachable to do their job and they frequently handle sensitive data on their way through. If your only visibility into these systems is a green checkmark on a vendor status page, you are outsourcing your risk management to a company that just told its customers to turn everything off. That is not a position anyone wants to be in.
Which brings us to the business angle, because incidents like this are exactly where a managed services provider earns its retainer. When a vendor pushes an emergency shutdown that knocks out a client's file infrastructure, the MSP that already knows which clients run ShareFile, can execute the shutdown within the hour, and can stand up a monitored incident response is the one that looks like a hero while everyone else is still refreshing Reddit. Package that reality into an edge exposure assessment and continuous attack surface monitoring offering, pair it with dark web monitoring so clients learn if their data surfaces for sale, and you have turned a vendor's bad week into a concrete upsell conversation about the internet facing systems your clients did not even realize they were betting the company on.
References
- The Hacker News: URGENT - Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers
https://thehackernews.com/2026/07/urgent-progress-tells-sharefile.html
- BleepingComputer: Progress urges ShareFile customers to shut down servers over credible threat
https://www.bleepingcomputer.com/news/security/progress-urges-sharefile-customers-to-shut-down-servers-over-credible-threat/
- watchTowr Labs: ShareFile Storage Zone Controller Pre-Auth RCE (CVE-2026-2699, CVE-2026-2701)
https://labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/
Concerned about this threat?
Our security team can assess your exposure and recommend immediate actions.
Protect Your Organization
Find vulnerabilities like this in your systems before attackers do.
24/7 monitoring to detect and respond to threats like these in real time.
Block phishing and malware delivery targeting your organization.
Map security controls to 26 frameworks including NIST, SOC 2, and HIPAA.