By rssfeeds-admin 
The vulnerability chain, tracked as CVE-2026-2699 and CVE-2026-2701, enables completely unauthenticated attackers to achieve Remote Code Execution (RCE) and seize full control of vulnerable servers, with no credentials required.
A Lucrative Target in a High-Risk Ecosystem
Managed File Transfer (MFT) platforms have become a prime hunting ground for advanced persistent threat (APT) groups and ransomware syndicates.
Following the catastrophic breaches tied to MOVEit Transfer, Cleo Harmony, and GoAnywhere MFT, threat actors have continuously shifted focus toward unpatched file-sharing gateways as a reliable entry point into corporate networks.
With approximately 30,000 ShareFile Storage Zone Controller instances currently exposed to the public internet, these newly uncovered flaws represent a high-value attack surface, particularly for groups seeking to exfiltrate sensitive intellectual property or deploy ransomware at scale.
While Progress ShareFile is best known for its cloud-based SaaS offering, many organizations, especially those operating under strict data sovereignty or compliance mandates, deploy the self-hosted Storage Zone Controller.
This component functions as a customer-managed bridge, routing file uploads and downloads through an organization’s own network infrastructure while connecting to the broader ShareFile web interface.
Crucially, both vulnerabilities reside entirely within this on-premises component, making cloud-only deployments unaffected.
The attack chain begins with an authentication bypass in the administrator configuration panel located at /ConfigService/Admin.aspx.
When an unauthenticated user accesses this endpoint, the server issues an HTTP 302 redirect to a login page as a standard security control.
However, watchTowr researchers identified a fatal flaw in the underlying C# source code: developers passed a false Boolean flag to the .Redirect() function, which instructs the server not to terminate page execution after sending the redirect.
This classic Execution After Redirect (EAR) vulnerability means an attacker only needs to intercept the HTTP response and strip the Location header.
The result: a fully functional administrative panel, accessible with zero authentication.
With admin access in hand, the attacker leverages the second flaw to execute arbitrary code. The Storage Zone Controller allows administrators to define a Network Share Location, a directory path where uploaded files are stored.
While the application verifies read/write access to any provided path, it performs no validation on whether the destination is a safe or legitimate directory.
An attacker can reconfigure the storage path to target the application’s public webroot:C:inetpubwwwrootShareFileStorageCenterdocumentum
Once redirected, the attacker uploads a malicious ASPX web shell disguised as a normal file. Navigating to that file in a browser immediately grants full, unauthenticated remote control over the underlying server, completing the exploit chain in just two steps.
Both vulnerabilities affect Branch 5.x of the ShareFile Storage Zone Controller, built on ASP.NET. watchTowr confirmed the flaws in version 5.12.3. Progress Software silently released the fixes in version 5.12.4 on March 10, 2026.
Security teams must treat this as an emergency patching priority. In addition to upgrading immediately, defenders should:
-
Monitor web server logs for anomalous or unauthorized requests targeting
/ConfigService/Admin.aspxand other configuration endpoints. - Audit the webroot for unexpected or unrecognized ASPX files, which may indicate an already-compromised system.
- Enforce network segmentation by placing on-premises file gateways behind strict firewall rules, limiting exposure to trusted hosts only.
- Review file upload directories to ensure storage paths have not been maliciously reconfigured.
Given the active threat landscape around MFT platforms, organizations still running version 5.12.3 or earlier should assume risk of compromise and initiate incident response procedures alongside patching.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post New Progress ShareFile Vulnerabilities Enable Server Takeover with No Login Required appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.