Progress Releases Security Updates for ShareFile Storage Zones Controller (SZC)

Successful exploitation could allow an unauthenticated remote attacker to access on-prem storage zones controller’s configuration pages, potentially leading to changes in system configuration and remote code execution

Threat ID:: CC-4767
Threat Severity:: Medium
Published:: 7 April 2026 4:03 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Progress ShareFile Storage Zones Controller

all prior to 5.12.3

Threat details

Proof-of-Concept Exploit

A proof-of-concept exploit for CVE-2026-2701 and CVE-2026-2699 is publicly available. The NHS England National CSOC assesses exploitation as highly likely.

Introduction

Progress has released a security update to address two critical vulnerabilities in ShareFile Storage Zones Controller (SZC). Progress ShareFile was formerly known as Citrix ShareFile.

CVE-2026-2699 - 'Execution After Redirect' vulnerability - CVSSv3 score: 9.8.
CVE-2026-2701 - 'Remote Code Execution' vulnerability - CVSSv3 score: 9.1.

When CVE-2026-2699 and CVE-2026-2701 are chained together, an unauthenticated attacker could perform remote code execution (RCE).

Remediation advice

Affected organisations are encouraged to review Progress ShareFile's security advisory and apply the relevant updates as soon as possible.

Definitive source of threat updates

https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26

CVE Vulnerabilities

Status Published

CVE-2026-2701

Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.

Status Published

CVE-2026-2699

Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.

Last edited: 7 April 2026 4:03 pm