CVE-2026-2699
published 2026-04-02CVE-2026-2699: Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
49.42%
98.7th percentile
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | sharefile_storage_zones_controller | <= 5.12.3 | — |
| progress | sharefile_storage_zones_controller | >= 5.0.0 < 5.12.4 | 5.12.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →The authentication bypass (CVE-2026-2699) is an Execution After Redirect (EAR) flaw. Detection should look for HTTP 302 responses to GET /ConfigService/Admin.aspx with a large response body (content_length >= 10000), which indicates successful bypass of the authentication redirect. ↗
- →Exploitation requires generating valid HMAC signatures and extracting/decrypting internal secrets (zone passphrase and related secrets), which become accessible after exploiting CVE-2026-2699 to set or control passphrase-related values. ↗
- →Monitor for unauthorized modification of Storage Zone configuration settings, including file storage paths, zone passphrase, and related secrets, as these are the targets of post-bypass attacker activity. ↗
- →Use FOFA or Shodan to identify internet-exposed ShareFile Storage Zone Controller instances via the title 'ShareFile Storage Server'. Approximately 30,000 instances are exposed on the public internet. ↗
- ·The vulnerability affects Progress ShareFile Storage Zones Controller branch 5.x only. The fix is available in version 5.12.4, released March 10, 2026. Systems not yet patched to 5.12.4 remain vulnerable. ↗
- ·The Nuclei template uses a two-step flow: first confirming the target is a ShareFile Storage Server (body contains 'ShareFile Storage Server'), then probing /ConfigService/Admin.aspx for the bypass condition. Both steps must succeed for a confirmed positive. ↗
- ·No active exploitation in the wild had been observed at the time of public disclosure, but the public release of the exploit chain is expected to attract threat actors, particularly ransomware groups. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Progress ShareFile Webshell Upload attempt (CVE-2026-2701)
suricata·2026-04-07·CVSS 9.1
CVE-2026-2701 [CRITICAL] ET WEB_SPECIFIC_APPS Progress ShareFile Webshell Upload attempt (CVE-2026-2701)
ET WEB_SPECIFIC_APPS Progress ShareFile Webshell Upload attempt (CVE-2026-2701)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress ShareFile Webshell Upload attempt (CVE-2026-2701)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.aspx|3f|"; startswith; content:"id|3d|"; content:"uploadid|3d|"; content:"bp|3d|"; content:"accountid|3d|"; content:"exp|3d|"; content:"h|3d|"; http.request_body; content:"name|3d 22|bp|22|"; content:"name|3d 22|accountid|22|"; content:"name|3d 22|bm|22|"; content:"name|3d 22|bo|22|"; content:"name|3d 22|uploadid|22|"; content:"name|3d 22|rsu|22|"; content:"name|3d 22|NeatUpload|5f|PostBackID|22|"; fast_pattern; content:"name|3d 22|onfinishurl|22|"; content:"|3c|http"; within:20; content:"name|3d 22|
Suricata
ET WEB_SPECIFIC_APPS Progress ShareFile TempData2 Parameter Leak Attempt (CVE-2026-2701)
suricata·2026-04-07·CVSS 9.1
CVE-2026-2701 [CRITICAL] ET WEB_SPECIFIC_APPS Progress ShareFile TempData2 Parameter Leak Attempt (CVE-2026-2701)
ET WEB_SPECIFIC_APPS Progress ShareFile TempData2 Parameter Leak Attempt (CVE-2026-2701)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress ShareFile TempData2 Parameter Leak Attempt (CVE-2026-2701)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ConfigService/api/StroageZoneConfig|3f 26|h|3d|"; startswith; fast_pattern; reference:url,labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/; reference:cve,2026-2701; classtype:attempted-admin; sid:2068626; rev:1; metadata:affected_product Progress_ShareFile, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2026_04_07, cve CVE_2026_2701, deployment Perimeter, deployment Internal, deployment
Suricata
ET WEB_SPECIFIC_APPS Progress ShareFile /ConfigService/Admin.aspx Authentication Bypass Attempt (CVE-2026-2699)
suricata·2026-04-07·CVSS 9.8
CVE-2026-2699 [CRITICAL] ET WEB_SPECIFIC_APPS Progress ShareFile /ConfigService/Admin.aspx Authentication Bypass Attempt (CVE-2026-2699)
ET WEB_SPECIFIC_APPS Progress ShareFile /ConfigService/Admin.aspx Authentication Bypass Attempt (CVE-2026-2699)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress ShareFile /ConfigService/Admin.aspx Authentication Bypass Attempt (CVE-2026-2699)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:25; content:"/ConfigService/Admin.aspx"; fast_pattern; reference:url,labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/; reference:cve,2026-2699; classtype:attempted-admin; sid:2068625; rev:1; metadata:affected_product Progress_ShareFile, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2026_04_07, cve CVE_2026_2699, deployment Perimeter, deployment
Nuclei
Progress ShareFile Storage Zones Controller - Authentication Bypass
nuclei·CVSS 9.8
CVE-2026-2699 [CRITICAL] Progress ShareFile Storage Zones Controller - Authentication Bypass
Progress ShareFile Storage Zones Controller - Authentication Bypass
Customer Managed ShareFile Storage Zones Controller (SZC) contains an authentication bypass (Execution After Redirect) that allows unauthenticated attackers to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
Template:
id: CVE-2026-2699
info:
name: Progress ShareFile Storage Zones Controller - Authentication Bypass
author: DhiyaneshDk
severity: critical
description: |
Customer Managed ShareFile Storage Zones Controller (SZC) contains an authentication bypass (Execution After Redirect) that allows unauthenticated attackers to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
impact
Checkpoint
6th April – Threat Intelligence Report
blogs_checkpoint·2026-04-06
CVE-2026-20093 6th April – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 6th April – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 30th March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
The European Commission, the European Union’s executive body, has confirmed a data breach after its Europa.eu platform was compromised through a third-party exchange linked to the Trivy supply chain attack. The incident affected at least one Amazon Web Services account and resulted in data theft, while websites and internal sys
Bleepingcomputer
New Progress ShareFile flaws can be chained in pre-auth RCE attacks
blogs_bleepingcomputer·2026-04-02·CVSS 9.8
[CRITICAL] New Progress ShareFile flaws can be chained in pre-auth RCE attacks
## New Progress ShareFile flaws can be chained in pre-auth RCE attacks
## Bill Toulas
Two vulnerabilities in Progress ShareFile, an enterprise-grade secure file transfer solution, can be chained to enable unauthenticated file exfiltration from affected environments.
Progress ShareFile is a document sharing and collaboration product typically used by large and mid-sized companies.
Such solutions are an attractive target for ransomware actors, as previously seen in Clop data-theft attacks exploiting bugs in Accellion FTA , SolarWinds Serv-U , Gladinet CentreStack , GoAnywhere MFT , MOVEit Transfer , and Cleo .
Researchers at offensive security company watchTowr discovered an authentication bypass (CVE-2026-2699) and a remote code execution (CVE-2026-2701) in the Storage Zones Controller
Hackernews
ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories
blogs_hackernews·2026-04-02·CVSS 9.8
[CRITICAL] ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories
The latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No corporate fluff or boring lectures here, just a quick and honest look at the messy reality of keeping systems safe this week.
Things are moving fast. The list includes researchers chaining small bugs together to create massive backdoors, old software flaws coming back to haunt us, and some very clever new tricks that let attackers bypass security logs entirely without leaving a trace. We are also seeing sketchier traffic on
Wiz
CVE-2026-2701 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-2701 [HIGH] CVE-2026-2701 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2701 :
Citrix ShareFile StorageZones Controller vulnerability analysis and mitigation
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
Source : NVD
## 9.1
Score
Published April 2, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Citrix ShareFile StorageZones Controller
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 40.8
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
cpe:2.3:a:citrix:sharefile_storagezones_controller
Sources
Windows Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2026-2699 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-2699 [HIGH] CVE-2026-2699 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2699 :
Citrix ShareFile StorageZones Controller vulnerability analysis and mitigation
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
Source : NVD
## 9.8
Score
Published April 2, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Citrix ShareFile StorageZones Controller
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 61.3
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
cpe:2.3:a:citrix:sharefile_storagezones_controller
Sources
Windows Has Fix Added at: Apr 05, 2026
## Get a
2026-04-02
Published