Progress Tells ShareFile Customers to Shut Down Servers Over Security Threat
Progress Software has instructed ShareFile customers to immediately shut down Windows servers running on-premises Storage Zone Controllers after identifying what it called a credible external security threat.
The company also temporarily disabled access to ShareFile accounts connected to the affected controllers. Progress said it took the action as a precaution and had no indication that unauthorized parties had accessed ShareFile accounts or customer data when it issued the warning.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
According to details confirmed by Progress Software, customers must manually power down the servers hosting their Storage Zone Controllers. Simply disconnecting through the ShareFile service may not fully address the risk.
What ShareFile administrators need to do
The warning applies to organizations using customer-managed ShareFile Storage Zone Controllers. These systems connect ShareFile’s cloud services to files stored inside an organization’s own infrastructure.
Progress described the manual shutdown as a critical additional measure to protect customer data. Administrators should leave affected systems offline until the company provides instructions for safely restoring service.
- Identify every Windows server hosting a ShareFile Storage Zone Controller.
- Shut down the affected servers immediately.
- Do not restart the controllers until Progress confirms that it is safe.
- Preserve system, application, proxy and authentication logs for investigation.
- Monitor communications from Progress and the ShareFile status page.
Organizations should also inform security operations, incident response and business continuity teams. Taking the controllers offline may interrupt file access and collaboration workflows that depend on customer-managed storage.
Progress has not disclosed the nature of the threat
Progress has not explained whether the warning relates to a software vulnerability, stolen credentials, exposed cryptographic material or another security issue. It has not assigned a CVE identifier or published indicators of compromise for the incident.
The company said it is investigating with internal and external cybersecurity specialists. Its decision to request a full server shutdown indicates that administrators should not rely on network restrictions or ordinary monitoring as substitutes for taking the systems offline.
The incident was listed as under investigation on the official ShareFile service status page. Cloud-only ShareFile accounts have not been identified as part of the affected group.
| Area | Current information |
|---|---|
| Affected product | Customer-managed ShareFile Storage Zone Controllers |
| Required action | Shut down the Windows servers hosting the controllers |
| Cloud-only accounts | No reported impact from this incident |
| Confirmed data breach | No indication of unauthorized account or data access at the time of the warning |
| Technical cause | Not publicly disclosed |
| CVE identifier | None announced for the current threat |
Storage Zone Controllers connect cloud services to local data
ShareFile Storage Zone Controllers allow organizations to retain files in customer-managed storage while using ShareFile for authentication, administration, sharing and collaboration. The controllers commonly run on Windows servers and may communicate with internet-facing services.
This hybrid arrangement gives businesses more control over where they store sensitive files. It also makes the controller a security-sensitive gateway between external ShareFile services and internal storage infrastructure.
Progress told customers that it had already disabled affected account access before requesting the manual shutdown, according to the company’s warning reported by BleepingComputer.
ShareFile patched two critical flaws earlier in 2026
The shutdown follows the disclosure of two serious Storage Zone Controller vulnerabilities in April 2026. However, Progress has not connected those flaws to the current investigation.
The first vulnerability, CVE-2026-2699, allowed an unauthenticated attacker to reach restricted configuration pages. The second, CVE-2026-2701, allowed an authenticated user to upload and execute a malicious file.

Progress explained in its ShareFile security advisory that the flaws could lead to configuration changes and remote code execution on affected customer-managed systems.
| Vulnerability | Impact | Severity |
|---|---|---|
| CVE-2026-2699 | Authentication bypass granting access to restricted configuration functions | Critical, CVSS 9.8 |
| CVE-2026-2701 | Malicious file upload leading to remote code execution | Critical, CVSS 9.1 |
Security researchers at watchTowr Labs demonstrated that attackers could chain the vulnerabilities to achieve remote code execution without valid credentials.
Version 5.12.4 fixed the earlier vulnerability chain
Progress addressed CVE-2026-2699 and CVE-2026-2701 in Storage Zone Controller 5.12.4. The company released that version on March 10, 2026, before researchers published the full technical details in April.
The official vulnerability notice instructed customers running the affected 5.x branch to upgrade. Progress said Storage Zone Controller 6.x, which uses a newer architecture based on .NET, was not affected by those two vulnerabilities.
The watchTowr investigation showed how the authentication bypass could expose protected administrative functions. Attackers could then abuse file-handling features to place an ASPX webshell in an executable location.
Security teams should preserve evidence
Administrators should follow Progress’s shutdown instruction first. They should then preserve logs and other forensic evidence rather than immediately rebuilding or modifying the affected servers.
Security teams can review recent activity for unexpected configuration access, unusual file uploads, newly created files, suspicious child processes and outbound connections from the controller servers. These checks do not replace guidance from Progress, but they can help identify signs that require deeper investigation.
- Record the shutdown time and the affected server names.
- Preserve Windows event logs, IIS logs and ShareFile application logs.
- Review administrative and authentication activity for unusual access.
- Check endpoint security alerts linked to the affected hosts.
- Wait for Progress to publish recovery, patching or forensic instructions.
Organizations should avoid assuming that version 5.12.4 or the 6.x branch eliminates the risk behind the new warning. Progress has not disclosed enough technical information to determine which versions or configurations could face the current threat.
FAQ
Progress identified a credible external security threat affecting ShareFile Storage Zone Controllers. It instructed customers to shut down the Windows servers hosting those controllers while the company investigates.
The warning applies to customer-managed ShareFile Storage Zone Controllers running on organizations’ own Windows servers. Progress has not identified cloud-only ShareFile accounts as affected.
No. Progress said it had no indication of unauthorized access to ShareFile accounts or customer data when it issued the shutdown warning. The investigation remains important because the company has not disclosed the nature of the threat.
Progress has not publicly connected the current security threat to those vulnerabilities. The two flaws were disclosed in April 2026 and fixed in Storage Zone Controller 5.12.4.
Administrators should keep the servers offline until Progress provides instructions confirming that they can safely restore service. Restarting them before that guidance could expose the systems to an unresolved risk.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages