What Has Happened
watchTowr Labs identified and disclosed two vulnerabilities in Progress ShareFile Storage Zone Controller, a customer-managed gateway that enables organizations to store and manage files on their own infrastructure while using ShareFile’s interface for access and collaboration.
The two vulnerabilities, discovered and disclosed by watchTowr Labs in 2026, can be chained together to achieve pre-authenticated Remote Code Execution (RCE) against affected on-premises deployments. No credentials are required. An attacker with network access to an affected Storage Zone Controller instance could bypass authentication and execute arbitrary code on the underlying system.
The two CVEs are:
| CVE | Type |
|---|---|
| CVE-2026-2699 | Authentication Bypass |
| CVE-2026-2701 | Remote Code Execution |
Patches are available. Organizations running affected versions should apply them immediately.
About watchTowr Labs
watchTowr Labs is the epicenter of offensive security expertise behind the watchTowr Platform. The research it produces is just a glimpse into what powers the platform, ensuring automated, continuous testing reflects real attacker behavior, not theoretical risk. This research fuels the Preemptive Exposure Management engine that powers everything the platform does.
Why This Matters
Progress ShareFile Storage Zone Controller sits at the boundary between an organization’s internal file infrastructure and external access. It governs authentication, handles file transfers, and controls where sensitive data is stored, including configurations pointing to SMB shares, cloud storage buckets, and local file systems.
Compromising a Storage Zone Controller gives an attacker the ability to redirect file storage to attacker-controlled infrastructure, access sensitive data, and move further into the environment. The vulnerability chain requires no authentication, meaning any internet-facing Storage Zone Controller instance running an affected version is exposed to full system compromise without any prior access or user interaction.
What Is Affected
Progress ShareFile Storage Zone Controller version 5.12.3 and earlier on the 5.x branch are affected across both vulnerabilities. The 6.x branch, built on .NET Core, is not affected.
Affected Versions
- StorageCenter 5.x up to and including 5.12.3
Progress released a patched build in March 2026. CVEs were formally assigned in February 2026.
| Branch | Patched Version |
|---|---|
| 5.x | StorageCenter 5.12.4 |
What You Should Do
Patches are available for the affected branch. Organizations running Progress ShareFile Storage Zone Controller should patch them immediately.
- Confirm whether the ShareFile Storage Zone Controller is deployed in the environment, including any internet-facing instances
- Identify the installed version and cross-reference against the affected range (StorageCenter 5.x up to and including 5.12.3)
- Apply the patch to version 5.12.4, prioritizing internet-facing instances first
How watchTowr Responded
This research originated inside watchTowr Labs. From the point of discovery, the watchTowr Platform identified an exposure across client environments before any public disclosure occurred.
| Timeline | watchTowr Response |
|---|---|
| Early February 2026 | watchTowr Labs identifies authentication bypass and RCE vulnerabilities in Progress ShareFile Storage Zone Controller. Coordinated disclosure initiated with Progress. |
| Shortly after | Rapid Reaction executes across the watchTowr client base. Affected Storage Zone Controller instances identified and flagged. |
| During disclosure window | Active Defense mitigation rules released to clients, providing network-level controls ahead of vendor patch availability. |
| March 2026 | Progress releases StorageCenter 5.12.4, remediating both vulnerabilities. |
| April 2026 | CVEs formally assigned. watchTowr Labs publishes full technical research. |
watchTowr clients were not waiting for vendor patches or public advisories to understand their exposure. By the time this research became public knowledge, the window for response had already been used.
This is Preemptive Exposure Management in practice.
By combining Proactive Threat Intelligence and External Attack Surface Management, the watchTowr Platform gives organizations the time they need to act before threats become incidents. The research published by watchTowr Labs is just a glimpse into what powers the platform: automated, continuous testing against real attacker behavior, informed by first-party vulnerability discovery.
When exploitation happens in hours, watchTowr delivers what no one else can: time to respond.
