Progress Tells ShareFile Customers to Shut Down Servers Over Security Threat


Progress Software has instructed ShareFile customers to immediately shut down Windows servers running on-premises Storage Zone Controllers after identifying what it called a credible external security threat.

The company also temporarily disabled access to ShareFile accounts connected to the affected controllers. Progress said it took the action as a precaution and had no indication that unauthorized parties had accessed ShareFile accounts or customer data when it issued the warning.

According to details confirmed by Progress Software, customers must manually power down the servers hosting their Storage Zone Controllers. Simply disconnecting through the ShareFile service may not fully address the risk.

What ShareFile administrators need to do

The warning applies to organizations using customer-managed ShareFile Storage Zone Controllers. These systems connect ShareFile’s cloud services to files stored inside an organization’s own infrastructure.

Progress described the manual shutdown as a critical additional measure to protect customer data. Administrators should leave affected systems offline until the company provides instructions for safely restoring service.

  • Identify every Windows server hosting a ShareFile Storage Zone Controller.
  • Shut down the affected servers immediately.
  • Do not restart the controllers until Progress confirms that it is safe.
  • Preserve system, application, proxy and authentication logs for investigation.
  • Monitor communications from Progress and the ShareFile status page.

Organizations should also inform security operations, incident response and business continuity teams. Taking the controllers offline may interrupt file access and collaboration workflows that depend on customer-managed storage.

Progress has not disclosed the nature of the threat

Progress has not explained whether the warning relates to a software vulnerability, stolen credentials, exposed cryptographic material or another security issue. It has not assigned a CVE identifier or published indicators of compromise for the incident.

The company said it is investigating with internal and external cybersecurity specialists. Its decision to request a full server shutdown indicates that administrators should not rely on network restrictions or ordinary monitoring as substitutes for taking the systems offline.

The incident was listed as under investigation on the official ShareFile service status page. Cloud-only ShareFile accounts have not been identified as part of the affected group.

AreaCurrent information
Affected productCustomer-managed ShareFile Storage Zone Controllers
Required actionShut down the Windows servers hosting the controllers
Cloud-only accountsNo reported impact from this incident
Confirmed data breachNo indication of unauthorized account or data access at the time of the warning
Technical causeNot publicly disclosed
CVE identifierNone announced for the current threat

Storage Zone Controllers connect cloud services to local data

ShareFile Storage Zone Controllers allow organizations to retain files in customer-managed storage while using ShareFile for authentication, administration, sharing and collaboration. The controllers commonly run on Windows servers and may communicate with internet-facing services.

This hybrid arrangement gives businesses more control over where they store sensitive files. It also makes the controller a security-sensitive gateway between external ShareFile services and internal storage infrastructure.

Progress told customers that it had already disabled affected account access before requesting the manual shutdown, according to the company’s warning reported by BleepingComputer.

ShareFile patched two critical flaws earlier in 2026

The shutdown follows the disclosure of two serious Storage Zone Controller vulnerabilities in April 2026. However, Progress has not connected those flaws to the current investigation.

The first vulnerability, CVE-2026-2699, allowed an unauthenticated attacker to reach restricted configuration pages. The second, CVE-2026-2701, allowed an authenticated user to upload and execute a malicious file.

Progress Alert

Progress explained in its ShareFile security advisory that the flaws could lead to configuration changes and remote code execution on affected customer-managed systems.

VulnerabilityImpactSeverity
CVE-2026-2699Authentication bypass granting access to restricted configuration functionsCritical, CVSS 9.8
CVE-2026-2701Malicious file upload leading to remote code executionCritical, CVSS 9.1

Security researchers at watchTowr Labs demonstrated that attackers could chain the vulnerabilities to achieve remote code execution without valid credentials.

Version 5.12.4 fixed the earlier vulnerability chain

Progress addressed CVE-2026-2699 and CVE-2026-2701 in Storage Zone Controller 5.12.4. The company released that version on March 10, 2026, before researchers published the full technical details in April.

The official vulnerability notice instructed customers running the affected 5.x branch to upgrade. Progress said Storage Zone Controller 6.x, which uses a newer architecture based on .NET, was not affected by those two vulnerabilities.

The watchTowr investigation showed how the authentication bypass could expose protected administrative functions. Attackers could then abuse file-handling features to place an ASPX webshell in an executable location.

Security teams should preserve evidence

Administrators should follow Progress’s shutdown instruction first. They should then preserve logs and other forensic evidence rather than immediately rebuilding or modifying the affected servers.

Security teams can review recent activity for unexpected configuration access, unusual file uploads, newly created files, suspicious child processes and outbound connections from the controller servers. These checks do not replace guidance from Progress, but they can help identify signs that require deeper investigation.

  1. Record the shutdown time and the affected server names.
  2. Preserve Windows event logs, IIS logs and ShareFile application logs.
  3. Review administrative and authentication activity for unusual access.
  4. Check endpoint security alerts linked to the affected hosts.
  5. Wait for Progress to publish recovery, patching or forensic instructions.

Organizations should avoid assuming that version 5.12.4 or the 6.x branch eliminates the risk behind the new warning. Progress has not disclosed enough technical information to determine which versions or configurations could face the current threat.

FAQ

Why did Progress tell ShareFile customers to shut down servers?

Progress identified a credible external security threat affecting ShareFile Storage Zone Controllers. It instructed customers to shut down the Windows servers hosting those controllers while the company investigates.

Which ShareFile systems are affected?

The warning applies to customer-managed ShareFile Storage Zone Controllers running on organizations’ own Windows servers. Progress has not identified cloud-only ShareFile accounts as affected.

Has Progress confirmed a ShareFile data breach?

No. Progress said it had no indication of unauthorized access to ShareFile accounts or customer data when it issued the shutdown warning. The investigation remains important because the company has not disclosed the nature of the threat.

Is the warning related to CVE-2026-2699 or CVE-2026-2701?

Progress has not publicly connected the current security threat to those vulnerabilities. The two flaws were disclosed in April 2026 and fixed in Storage Zone Controller 5.12.4.

When should administrators restart their Storage Zone Controllers?

Administrators should keep the servers offline until Progress provides instructions confirming that they can safely restore service. Restarting them before that guidance could expose the systems to an unresolved risk.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages