Urgent Alert: Critical ShareFile Vulnerability Allows Server Takeover
Progress, the vendor behind ShareFile, has strongly advised customers to immediately upgrade to version 5.12.4 or transition to any 6.x release, as these versions are not impacted by this severe ShareFile vulnerability. The gravity of the situation is underscored by the high CVSS scores assigned to the identified flaws.
Understanding the Critical ShareFile Vulnerabilities
According to reports from Progress and WatchTower, this sophisticated attack chain comprises two distinct, yet interconnected, vulnerabilities:
-
Authentication Bypass (CVE-2026-2699 – CVSS 9.8)
This critical flaw exposes restricted configuration pages without requiring attackers to log in. WatchTowr identified the root cause as an “Execution After Redirect” condition on the
Admin.aspxconfiguration page. Essentially, while the application redirects unauthenticated users to the login page (HTTP 302), the underlying page logic continues to execute. This critical design oversight allows unauthenticated users to access sensitive administrative functionalities, directly bypassing security controls. The researchers pinpointed this behavior to the application’s redirect function, which fails to properly terminate execution. -
Remote Code Execution (CVE-2026-2701 – CVSS 9.1)
Once an attacker successfully bypasses authentication and gains access to the admin interface, the second vulnerability comes into play. It enables remote code execution through the upload and extraction of malicious files. With admin access, an attacker can modify critical zone settings, including storage paths and passphrase-related values. This capability, combined with the ability to upload a malicious archive and extract it into a server-controlled path (such as a web-accessible directory), paves the way for a full server compromise. In a demonstrated proof-of-concept, an ASPX webshell was placed in the ShareFile webroot, enabling remote code execution on the server.
The Target: ShareFile Storage Zones Controller
This dangerous attack specifically targets the ShareFile Storage Zones Controller. This crucial on-premises component allows organizations to maintain their files within their own infrastructure while leveraging ShareFile’s cloud-based management interface. This setup is particularly favored by enterprises with stringent compliance, data sovereignty, or internal security requirements.
WatchTower’s estimates indicate that approximately 30,000 Storage Zone Controller instances are currently internet-facing, making them attractive targets. Positioned at the edge of file-sharing workflows, these servers are prime targets for sophisticated threat actors, including ransomware groups, who can exploit this ShareFile vulnerability to gain deep access to sensitive corporate data.
Mitigation and Urgent Action for Defenders
While Progress has not yet received reports of active exploitation related to this ShareFile vulnerability, the vendor has classified the issue as critical. The fixes were published on April 2, 2026, following a timeline that saw private disclosure in February, replication by Progress in mid-February, and a patch release for ShareFile Storage Zones Controller 5.12.4 on March 10, ahead of public disclosure in April.
For cybersecurity defenders, the course of action is unequivocally clear and urgent:
- Identify: Immediately identify any exposed ShareFile Storage Zones Controller 5.x systems within your infrastructure.
- Patch: Apply the necessary upgrades to version 5.12.4 or migrate to any 6.x release without delay.
- Review: Conduct a thorough review of patched systems for any suspicious configuration changes, unauthorized access attempts, or unexpected files found in web-facing directories.
Addressing this critical ShareFile vulnerability is paramount to preventing potential server takeovers and protecting sensitive organizational data from ransomware and other cyber threats. Proactive patching and diligent monitoring are key to mitigating this severe risk.
