CVE-2026-2701
published 2026-04-02CVE-2026-2701: Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
PriorityP279high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
48.81%
98.7th percentile
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| progress | sharefile_storage_zones_controller | <= 5.12.3 | — |
| progress | sharefile_storage_zones_controller | >= 5.0.0 < 5.12.4 | 5.12.4 |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress ShareFile Webshell Upload attempt (CVE-2026-2701)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.aspx|3f|"; startswith; content:"id|3d|"; content:"uploadid|3d|"; content:"bp|3d|"; content:"accountid|3d|"; content:"exp|3d|"; content:"h|3d|"; http.request_body; content:"name|3d 22|bp|22|"; content:"name|3d 22|accountid|22|"; content:"name|3d 22|bm|22|"; content:"name|3d 22|bo|22|"; content:"name|3d 22|uploadid|22|"; content:"name|3d 22|rsu|22|"; content:"name|3d 22|NeatUpload|5f|PostBackID|22|"; fast_pattern; content:"name|3d 22|onfinishurl|22|"; content:"|3c|http"; within:20; content:"name|3d 22|unzip|22|"; content:"true"; within:20; content:"filename|3d 22|"; content:"|2e|zip|22 3b|"; distance:0; content:"UniqueID|3d 22|"; content:"PK|03 04|"; distance:0; content:"|2e|asp"; distance:0; reference:url,labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/; reference:cve,2026-2701; classtype:attempted-admin; sid:2068627; rev:1; metadata:affected_product Progress_ShareFile, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2026_04_07, cve CVE_2026_2701, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes↗
PK 03 04 (ZIP magic bytes containing .asp payload)
- →Monitor for POST requests to /upload.aspx with multipart form fields including 'unzip=true' and a ZIP filename containing a .asp extension — this is the webshell upload vector for CVE-2026-2701. ↗
- →Detect the authentication bypass (CVE-2026-2699) chained with CVE-2026-2701: look for a GET to /ConfigService/Admin.aspx returning HTTP 302 with a large body (content_length >= 10000), indicating EAR (Execution After Redirect) bypass before the webshell upload. ↗
- →Attackers must generate valid HMAC signatures and extract/decrypt internal secrets (zone passphrase) before the upload step — look for configuration modification activity on the SZC admin interface prior to any upload attempts. ↗
- →Use Shodan/FOFA to identify exposed ShareFile Storage Zone Controller instances via the title fingerprint 'ShareFile Storage Server', then prioritize patching those running versions prior to 5.12.4. ↗
- →The full exploit chain PoC and technical write-up are publicly available at labs.watchtowr.com and github.com/watchtowrlabs — expect rapid weaponization given ~30,000 internet-exposed instances. ↗
- ·The RCE (CVE-2026-2701) only affects the Storage Zones Controller (SZC) component in branch 5.x of Progress ShareFile — cloud-hosted ShareFile tenants not running a self-managed SZC are not affected. ↗
- ·The fix is available in Progress ShareFile Storage Zones Controller version 5.12.4 (released March 10, 2026); instances not yet patched to this version remain fully exploitable via the pre-auth chain. ↗
- ·The Snort/ET rule (sid:2068627) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to match traffic in HTTPS environments — without SSL inspection the rule will not fire. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Progress ShareFile Webshell Upload attempt (CVE-2026-2701)
suricata·2026-04-07·CVSS 9.1
CVE-2026-2701 [CRITICAL] ET WEB_SPECIFIC_APPS Progress ShareFile Webshell Upload attempt (CVE-2026-2701)
ET WEB_SPECIFIC_APPS Progress ShareFile Webshell Upload attempt (CVE-2026-2701)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress ShareFile Webshell Upload attempt (CVE-2026-2701)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.aspx|3f|"; startswith; content:"id|3d|"; content:"uploadid|3d|"; content:"bp|3d|"; content:"accountid|3d|"; content:"exp|3d|"; content:"h|3d|"; http.request_body; content:"name|3d 22|bp|22|"; content:"name|3d 22|accountid|22|"; content:"name|3d 22|bm|22|"; content:"name|3d 22|bo|22|"; content:"name|3d 22|uploadid|22|"; content:"name|3d 22|rsu|22|"; content:"name|3d 22|NeatUpload|5f|PostBackID|22|"; fast_pattern; content:"name|3d 22|onfinishurl|22|"; content:"|3c|http"; within:20; content:"name|3d 22|
Suricata
ET WEB_SPECIFIC_APPS Progress ShareFile TempData2 Parameter Leak Attempt (CVE-2026-2701)
suricata·2026-04-07·CVSS 9.1
CVE-2026-2701 [CRITICAL] ET WEB_SPECIFIC_APPS Progress ShareFile TempData2 Parameter Leak Attempt (CVE-2026-2701)
ET WEB_SPECIFIC_APPS Progress ShareFile TempData2 Parameter Leak Attempt (CVE-2026-2701)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress ShareFile TempData2 Parameter Leak Attempt (CVE-2026-2701)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ConfigService/api/StroageZoneConfig|3f 26|h|3d|"; startswith; fast_pattern; reference:url,labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/; reference:cve,2026-2701; classtype:attempted-admin; sid:2068626; rev:1; metadata:affected_product Progress_ShareFile, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2026_04_07, cve CVE_2026_2701, deployment Perimeter, deployment Internal, deployment
Suricata
ET WEB_SPECIFIC_APPS Progress ShareFile /ConfigService/Admin.aspx Authentication Bypass Attempt (CVE-2026-2699)
suricata·2026-04-07·CVSS 9.8
CVE-2026-2699 [CRITICAL] ET WEB_SPECIFIC_APPS Progress ShareFile /ConfigService/Admin.aspx Authentication Bypass Attempt (CVE-2026-2699)
ET WEB_SPECIFIC_APPS Progress ShareFile /ConfigService/Admin.aspx Authentication Bypass Attempt (CVE-2026-2699)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Progress ShareFile /ConfigService/Admin.aspx Authentication Bypass Attempt (CVE-2026-2699)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:25; content:"/ConfigService/Admin.aspx"; fast_pattern; reference:url,labs.watchtowr.com/youre-not-supposed-to-sharefile-with-everyone-progress-sharefile-pre-auth-rce-chain-cve-2026-2699-cve-2026-2701/; reference:cve,2026-2699; classtype:attempted-admin; sid:2068625; rev:1; metadata:affected_product Progress_ShareFile, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2026_04_07, cve CVE_2026_2699, deployment Perimeter, deployment
Nuclei
Progress ShareFile Storage Zones Controller - Authentication Bypass
nuclei·CVSS 9.8
CVE-2026-2699 [CRITICAL] Progress ShareFile Storage Zones Controller - Authentication Bypass
Progress ShareFile Storage Zones Controller - Authentication Bypass
Customer Managed ShareFile Storage Zones Controller (SZC) contains an authentication bypass (Execution After Redirect) that allows unauthenticated attackers to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
Template:
id: CVE-2026-2699
info:
name: Progress ShareFile Storage Zones Controller - Authentication Bypass
author: DhiyaneshDk
severity: critical
description: |
Customer Managed ShareFile Storage Zones Controller (SZC) contains an authentication bypass (Execution After Redirect) that allows unauthenticated attackers to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
impact
Bleepingcomputer
New Progress ShareFile flaws can be chained in pre-auth RCE attacks
blogs_bleepingcomputer·2026-04-02·CVSS 9.8
[CRITICAL] New Progress ShareFile flaws can be chained in pre-auth RCE attacks
## New Progress ShareFile flaws can be chained in pre-auth RCE attacks
## Bill Toulas
Two vulnerabilities in Progress ShareFile, an enterprise-grade secure file transfer solution, can be chained to enable unauthenticated file exfiltration from affected environments.
Progress ShareFile is a document sharing and collaboration product typically used by large and mid-sized companies.
Such solutions are an attractive target for ransomware actors, as previously seen in Clop data-theft attacks exploiting bugs in Accellion FTA , SolarWinds Serv-U , Gladinet CentreStack , GoAnywhere MFT , MOVEit Transfer , and Cleo .
Researchers at offensive security company watchTowr discovered an authentication bypass (CVE-2026-2699) and a remote code execution (CVE-2026-2701) in the Storage Zones Controller
Hackernews
ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories
blogs_hackernews·2026-04-02·CVSS 9.8
[CRITICAL] ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories
The latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No corporate fluff or boring lectures here, just a quick and honest look at the messy reality of keeping systems safe this week.
Things are moving fast. The list includes researchers chaining small bugs together to create massive backdoors, old software flaws coming back to haunt us, and some very clever new tricks that let attackers bypass security logs entirely without leaving a trace. We are also seeing sketchier traffic on
Wiz
CVE-2026-2701 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-2701 [HIGH] CVE-2026-2701 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2701 :
Citrix ShareFile StorageZones Controller vulnerability analysis and mitigation
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
Source : NVD
## 9.1
Score
Published April 2, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Citrix ShareFile StorageZones Controller
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 40.8
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
cpe:2.3:a:citrix:sharefile_storagezones_controller
Sources
Windows Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2026-2699 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-2699 [HIGH] CVE-2026-2699 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2699 :
Citrix ShareFile StorageZones Controller vulnerability analysis and mitigation
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
Source : NVD
## 9.8
Score
Published April 2, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Citrix ShareFile StorageZones Controller
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 61.3
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
cpe:2.3:a:citrix:sharefile_storagezones_controller
Sources
Windows Has Fix Added at: Apr 05, 2026
## Get a
2026-04-02
Published