cbcvebase.
CVE-2026-2701
published 2026-04-02

CVE-2026-2701: Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.

PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
48.81%
98.7th percentile
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
progresssharefile_storage_zones_controller<= 5.12.3
progresssharefile_storage_zones_controller>= 5.0.0 < 5.12.45.12.4

Detection & IOCsextracted from sources · hover to see the quote

url/ConfigService/Admin.aspx
url/upload.aspx
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress ShareFile Webshell Upload attempt (CVE-2026-2701)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.aspx|3f|"; startswith; content:"id|3d|"; content:"uploadid|3d|"; content:"bp|3d|"; content:"accountid|3d|"; content:"exp|3d|"; content:"h|3d|"; http.request_body; content:"name|3d 22|bp|22|"; content:"name|3d 22|accountid|22|"; content:"name|3d 22|bm|22|"; content:"name|3d 22|bo|22|"; content:"name|3d 22|uploadid|22|"; content:"name|3d 22|rsu|22|"; content:"name|3d 22|NeatUpload|5f|PostBackID|22|"; fast_pattern; content:"name|3d 22|onfinishurl|22|"; content:"|3c|http"; within:20; content:"name|3d 22|unzip|22|"; content:"true"; within:20; content:"filename|3d 22|"; content:"|2e|zip|22 3b|"; distance:0; content:"UniqueID|3d 22|"; content:"PK|03 04|"; distance:0; content:"|2e|asp"; distance:0; reference:url,labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/; reference:cve,2026-2701; classtype:attempted-admin; sid:2068627; rev:1; metadata:affected_product Progress_ShareFile, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2026_04_07, cve CVE_2026_2701, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
PK 03 04 (ZIP magic bytes containing .asp payload)
  • Monitor for POST requests to /upload.aspx with multipart form fields including 'unzip=true' and a ZIP filename containing a .asp extension — this is the webshell upload vector for CVE-2026-2701.
  • Detect the authentication bypass (CVE-2026-2699) chained with CVE-2026-2701: look for a GET to /ConfigService/Admin.aspx returning HTTP 302 with a large body (content_length >= 10000), indicating EAR (Execution After Redirect) bypass before the webshell upload.
  • Attackers must generate valid HMAC signatures and extract/decrypt internal secrets (zone passphrase) before the upload step — look for configuration modification activity on the SZC admin interface prior to any upload attempts.
  • Use Shodan/FOFA to identify exposed ShareFile Storage Zone Controller instances via the title fingerprint 'ShareFile Storage Server', then prioritize patching those running versions prior to 5.12.4.
  • The full exploit chain PoC and technical write-up are publicly available at labs.watchtowr.com and github.com/watchtowrlabs — expect rapid weaponization given ~30,000 internet-exposed instances.
  • ·The RCE (CVE-2026-2701) only affects the Storage Zones Controller (SZC) component in branch 5.x of Progress ShareFile — cloud-hosted ShareFile tenants not running a self-managed SZC are not affected.
  • ·The fix is available in Progress ShareFile Storage Zones Controller version 5.12.4 (released March 10, 2026); instances not yet patched to this version remain fully exploitable via the pre-auth chain.
  • ·The Snort/ET rule (sid:2068627) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to match traffic in HTTPS environments — without SSL inspection the rule will not fire.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.