CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Authentication bypass and pre-auth RCE chain in Progress ShareFile Storage Zones Controller (CVE-2026-2699 & CVE-2026-2701)

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Two vulnerabilities in Progress ShareFile Storage Zones Controller (SZC) 5.x can be chained to achieve unauthenticated remote code execution (RCE) and file exfiltration from enterprise file transfer environments. The flaws—an authentication bypass (CVE-2026-2699) and an RCE vulnerability (CVE-2026-2701)—enable attackers to bypass authentication, modify storage configurations, extract internal secrets, and deploy ASPX webshells on affected servers. The vendor patched the issues in version 5.12.4 (released March 10, 2026) after coordinated disclosure. Exploitation leverages improper HTTP redirect handling and insecure file upload/extraction mechanisms, with exploitation achievable via public internet exposure. Approximately 30,000 SZC instances are internet-facing, with 700 actively observed by ShadowServer, predominantly in the U.S. and Europe. While no active exploitation has been reported, the public disclosure increases risk of opportunistic attacks.

Timeline

  1. 02.04.2026 16:33 1 articles · 2h ago

    Progress ShareFile Storage Zones Controller vulnerabilities (CVE-2026-2699 & CVE-2026-2701) patched; exploit chain disclosed

    Progress ShareFile Storage Zones Controller (SZC) 5.x contained two vulnerabilities—CVE-2026-2699 (authentication bypass) and CVE-2026-2701 (RCE)—which could be chained to achieve unauthenticated remote code execution and file exfiltration. The issues were patched in version 5.12.4 (released March 10, 2026). The exploit chain enabled attackers to bypass authentication via improper HTTP redirect handling, modify storage configurations, extract internal secrets, and deploy ASPX webshells. Public exposure of ~30,000 SZC instances and active observation of 700 systems highlight the urgency for patching.

    Show sources
    Open in new tab

Information Snippets

  • Two vulnerabilities in Progress ShareFile Storage Zones Controller (SZC) 5.x—CVE-2026-2699 (authentication bypass) and CVE-2026-2701 (RCE)—can be chained to achieve unauthenticated access and remote code execution.

    First reported: 02.04.2026 16:33
    1 source, 1 article
    Show sources

  • CVE-2026-2699 allows bypassing authentication by exploiting improper HTTP redirect handling, granting access to the ShareFile admin interface.

    First reported: 02.04.2026 16:33
    1 source, 1 article
    Show sources

  • CVE-2026-2701 enables RCE via abuse of file upload and extraction functionality to deploy ASPX webshells in the application’s webroot after obtaining internal secrets.

    First reported: 02.04.2026 16:33
    1 source, 1 article
    Show sources

  • Exploitation requires setting or controlling passphrase-related values in Storage Zone configurations, which becomes possible after exploiting CVE-2026-2699.

    First reported: 02.04.2026 16:33
    1 source, 1 article
    Show sources

  • Progress ShareFile SZC 5.12.4 (released March 10, 2026) contains fixes for both vulnerabilities, following responsible disclosure between February 6–13 and confirmation of the exploit chain on February 18.

    First reported: 02.04.2026 16:33
    1 source, 1 article
    Show sources

  • Approximately 30,000 SZC instances are exposed on the public internet, with ShadowServer observing 700 active instances (primarily in the U.S. and Europe) as of the report.

    First reported: 02.04.2026 16:33
    1 source, 1 article
    Show sources