Lead Analysis
Security & Risk4 min

Without Available Patch, Progress Shuts Down ShareFile Controllers, Leaving 86,000 Customers without Local Storage

Corredor de sala de servidores corporativa com luz de alerta vermelha em rack isolado

Progress Software cut cloud access to ShareFile's Storage Zone Controllers on July 11, impacting 86,000 customers following the disclosure of CVE-2026-2699 (CVSS 9.8) linked to CVE-2026-2701 (CVSS 9.1) which enables unauthenticated RCE.

On July 11, Progress Software ordered the immediate shutdown of the Storage Zone Controllers for ShareFile and severed this component's access to the platform's cloud, affecting customers that rely on local storage for corporate file sharing. This measure, confirmed by the company in direct communication to customers, was motivated by a "credible threat" linked to two chained CVEs that allow remote code execution without authentication. Progress acquired ShareFile from Citrix in October 2024 for $875 million, absorbing 86,000 customers and $240 million in annual recurring revenue.


The Vulnerabilities: Authentication Bypass, Remote Code Execution Enabled


watchTowr Labs disclosed two CVEs in April 2026 pertaining to the Storage Zone Controllers. The first, CVE-2026-2699, received a CVSS score of 9.8 and describes an authentication bypass that allows access to restricted configuration pages without credentials. The second, CVE-2026-2701, scored 9.1, is a remote code execution vulnerability triggered from the same configuration pages. Together, the two vulnerabilities allow an unauthenticated external attacker to upload ASPX webshells and take complete control of the server without providing a password at any stage of the attack.


Progress has not disclosed which of the two vulnerabilities is being actively exploited, has not identified victims, and has not set a timeline for the availability of a patch. No correction timeline had been publicly announced by the time this report was published.


The Same Vector, the Second Crisis in Three Years


In 2023, the same product, then under Citrix control, was targeted for exploitation via CVE-2023-24489, a path traversal vulnerability in the Storage Zone Controllers with a CVSS score of 9.8. CISA included CVE-2023-24489 in its catalog of actively exploited vulnerabilities, and ransomware groups used it to compromise organizations before patches were applied. Citrix severed cloud access to vulnerable controllers, the same measure that Progress adopts now.


watchTowr Labs published the technical details of the current CVEs in April 2026. Progress waited three months before acting, and did so without an available patch. The sequence of public disclosure in April and shutdown in July mirrors the timeline of the 2023 incident, where active exploitation began months after the original disclosure.


Practical Impact on the 86,000 Customers


The Storage Zone Controller is the on-premises component of ShareFile: it keeps files on the client's own infrastructure while using ShareFile cloud for access control, permissions, and collaboration. With the component severed from the cloud, the platform becomes inoperable for any workflow relying on local storage. Customers with cloud-only accounts were not affected.


ShareFile has a significant presence in law firms, financial services, and healthcare entities in the United States, where it competes directly with Box and Microsoft SharePoint Online. In Europe, clients in the financial and healthcare sectors subject to the General Data Protection Regulation are required to notify supervisory authorities within 72 hours in the event of personal data exfiltration. A successful exploitation of the CVEs turns this technical risk into an immediate regulatory obligation. Companies with data sovereignty requirements, prevalent in the banking and government sectors of Germany and France, often cannot migrate to cloud storage in a matter of days.


The Recommendation and What It Omits


Progress has recommended migration to a cloud storage model as a short-term alternative. This measure requires transferring files from corporate servers to Progress’s own infrastructure, a decision that involves data reclassification, compliance assessment, and legal approval in regulated environments. For organizations with tens of terabytes of contractual documents or medical records stored locally, migration is not an hours-long operation.


Progress's pattern of response, suspending access instead of releasing a patch, is the same approach adopted by Citrix in 2023. In that incident, a patch arrived within weeks. The absence of any timeline this time indicates that the fix is structurally more complex, or that Progress has found evidence of active exploitation and is maintaining an ongoing investigation before communicating the full scope of the incident.

Lead Analysis
Without Available Patch, Progress Shuts Down ShareFile Controllers, Leaving 86,000 Customers without Local Storage | The New Times