Update: Progress Software Says Zero-Day Flaw Led to ShareFile Shutdown

July 15, 2026
Update: Progress Software Says Zero-Day Flaw Led to ShareFile Shutdown
IANS News

Key Points

  • Progress Software’s order to shut down ShareFile Storage Zone Controllers was due to a high-severity path traversal vulnerability that could have been targeted by a threat actor.
  • Progress says it has found no evidence of unauthorized access so far and has issued an update for ShareFile Storage Zone Controllers.
  • IANS Faculty recommend treating exposed controllers as possible incidents by hunting for suspicious files, preserving logs, rotating service account credentials and reassessing file-sharing platform risk with third-parties.

 

Update: Progress Software Says Zero-Day Flaw Led to ShareFile Shutdown

A high-severity zero-day path traversal vulnerability led to the emergency warning from Progress Software about its ShareFile Storage Zone Controllers late last week.

Progress said its investigation found the vulnerability could have been exploited by a threat actor targeting ShareFile customers based on “information from a credible source,” according to an email update sent to customers today.

No indication of unauthorized access to ShareFile customer accounts or data has been found so far, Progress said. Customers are urged to update ShareFile Storage Zone Controllers to versions 5.12.5 and 6.0.2 to address the vulnerability before bringing the devices back online. Progress said it will issue a CVE for the discovered vulnerability in the next two weeks.

The warning issued last Friday by Progress instructed customers to manually shut down the server hosting controllers and keep the devices offline as internal and external security experts investigated the issue.

Storage Zone Controllers are on-premises components used in secure file-sharing systems such as ShareFile. They are typically internet-facing and let organizations store files on their own infrastructure, while still relying on Progress’ cloud platform for authentication and management.

Progress is still reeling from the MOVEit crisis from last year and two recent Storage Zone Controller CVEs issued last month. These CVEs included CVE-2026-2699, an authentication bypass flaw with a CVSS score of 9.8, and CVE-2026-2701, a remote code execution flaw with a CVSS score of 9.1.

 

Big Picture

Despite Progress appearing to say the issue is resolved with a patch, customers should note the vulnerability was dire enough to spook a vendor into a scorched-earth technical support approach.

Unscheduled downtime is disruptive, but it's also a live opportunity to exercise a business continuity plan. The alternative could just as easily have been a threat actor making that decision for you.”  Jessica Hebenstreit, IANS Faculty

The attack against Progress’ MOVEit software last year and its significant blast radius potentially drove the vendor to take an abundance of caution against any possible threat, even if it led to customer disruption.

After the MOVEit pain, Progress chose immediate customer disruption over the risk of another quiet‑patch‑and‑pray scenario turning into mass exploitation. That's what vendor education looks like when the scar tissue is still fresh.”  Jeff Brown, IANS Faculty

This episode appears to also reflect a lack of vendor infrastructure visibility.

An outside party warned of the risk through coordinated disclosure. A customer email provided the details and the public record won't catch up for two weeks. That reflects the vendor's estimate of its own limited ability to see exploitation on these servers, which means what we're seeing is compensating for blindness.”  Wolfgang Goerlich, IANS Faculty

 

IANS Faculty Recommendations

  • Ensure third parties applied the patch: Ask each ShareFile-using vendor for patch dates and pre-reconnect verification, and weight any answer against what that vendor can actually see.
  • Treat exposed systems as possible incidents. Hunt for unfamiliar .aspx files and unauthorized configuration changes, preserve system and web logs, and rotate service account credentials, especially for controllers that have been internet‑accessible.
  • Preserve forensic logs: Ensure logging/forensic data are retained and sent to centralized systems outside the affected server. Independent logging improves incident response and preserves evidence if a device is compromised.
  • Assess additional platform risks: Treat MFT and file-sharing technologies as a dedicated risk category within vendor management and patch governance programs.


Authors & Contributors

Tim McCarthy, Author - Security Reporter, IANS News

Jessica Hebenstreit, IANS Faculty

Jeff Brown, IANS Faculty

Wolfgang Goerlich, IANS Faculty

 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

Subscribe to IANS Blog

Receive a wealth of trending cyber tips and how-tos delivered directly weekly to your inbox.

Please provide a business email.