Managed File Transfer (MFT) solutions have become a frequent target for sophisticated threat actors, ranging from ransomware gangs to APT groups. A recent investigation by watchTowr Labs has uncovered a critical vulnerability chain in Progress ShareFile, enabling pre-authenticated Remote Code Execution (RCE). This discovery underscores the ongoing risks associated with file-handling software exposed to the public internet.

Understanding the Storage Zone Controller

Progress ShareFile operates a hybrid architecture that includes an on-premises component known as the Storage Zone Controller. This customer-managed gateway allows organizations to store files on their own local servers or private cloud buckets while still utilizing ShareFile’s SaaS interface for management. This architecture is often chosen to satisfy data sovereignty or regulatory requirements. Recent scans suggest that approximately 30,000 instances of this controller are currently accessible online, representing a significant attack surface.

The Vulnerability Chain: CVE-2026-2699 and CVE-2026-2701

The research specifically targeted the 5.x branch of the Storage Zone Controller, which is built on the ASP.NET framework. By combining two distinct flaws, researchers were able to achieve full system compromise without any valid user credentials:

• CVE-2026-2699: An authentication bypass vulnerability that allows unauthorized users to gain entry to sensitive application logic.
• CVE-2026-2701: A remote code execution flaw that allows an attacker to run arbitrary commands on the underlying server once authentication is bypassed.
• Version Specificity: These vulnerabilities were identified in version 5.12.3 and are specific to the legacy ASP.NET 5.x branch, rather than the newer .NET Core 6.x branch.

Impact and Technical Remediation

The security analysis involved decompiling application DLLs and investigating REST endpoints within the Internet Information Services (IIS) setup. Researchers focused on identifying how the application processes external requests before authentication is established. The resulting exploit chain allows for a complete takeover of the Storage Zone Controller, potentially exposing all files managed by that specific instance.

Progress has responded to these findings by releasing version 5.12.4 on March 10, 2026. This patch resolves the vulnerabilities in the 5.x branch and is essential for all organizations running on-premises infrastructure for ShareFile. Administrators are urged to verify their current versioning and apply the update immediately to prevent exploitation.

In conclusion, the discovery of CVE-2026-2699 and CVE-2026-2701 serves as a stark reminder of the security challenges inherent in MFT solutions. As threat actors continue to prioritize these gateways, rapid patching and rigorous vulnerability research remain the best defenses for modern enterprises.