cbcvebase.
CVE-2026-2699
published 2026-04-02

CVE-2026-2699: Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
49.42%
98.7th percentile
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
progresssharefile_storage_zones_controller<= 5.12.3
progresssharefile_storage_zones_controller>= 5.0.0 < 5.12.45.12.4

Detection & IOCsextracted from sources · hover to see the quote

url/ConfigService/Admin.aspx
path/ConfigService/Admin.aspx
othertitle=="ShareFile Storage Server"
othertitle:"ShareFile Storage Server"
  • The authentication bypass (CVE-2026-2699) is an Execution After Redirect (EAR) flaw. Detection should look for HTTP 302 responses to GET /ConfigService/Admin.aspx with a large response body (content_length >= 10000), which indicates successful bypass of the authentication redirect.
  • Exploitation requires generating valid HMAC signatures and extracting/decrypting internal secrets (zone passphrase and related secrets), which become accessible after exploiting CVE-2026-2699 to set or control passphrase-related values.
  • Monitor for unauthorized modification of Storage Zone configuration settings, including file storage paths, zone passphrase, and related secrets, as these are the targets of post-bypass attacker activity.
  • Use FOFA or Shodan to identify internet-exposed ShareFile Storage Zone Controller instances via the title 'ShareFile Storage Server'. Approximately 30,000 instances are exposed on the public internet.
  • ·The vulnerability affects Progress ShareFile Storage Zones Controller branch 5.x only. The fix is available in version 5.12.4, released March 10, 2026. Systems not yet patched to 5.12.4 remain vulnerable.
  • ·The Nuclei template uses a two-step flow: first confirming the target is a ShareFile Storage Server (body contains 'ShareFile Storage Server'), then probing /ConfigService/Admin.aspx for the bypass condition. Both steps must succeed for a confirmed positive.
  • ·No active exploitation in the wild had been observed at the time of public disclosure, but the public release of the exploit chain is expected to attract threat actors, particularly ransomware groups.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.