On 10 March 2026, Progress ShareFile released for two critical severity vulnerabilities in Progress ShareFile Storage Zones Controller (SZC) 5.x, tracked as CVE-2026-2699 and CVE-2026-2701. The first flaw arises from an authentication bypass due to improper redirect/session handling (Execution After Redirect) in /ConfigService/Admin.aspx that allows a remote unauthenticated threat actor to access restricted administrative functions, modify zone configuration, and set conditions enabling subsequent code execution. When paired with CVE-2026-2701 (arbitrary file upload/unzip to webroot), the weaknesses enable pre-authentication remote code execution (RCE). These issues were first publicly on 2 April 2026 by watchTowr Labs following coordinated disclosure with Progress.
Technical details describe how a redirect that does not terminate execution can expose admin functionality to unauthenticated users, who can then tamper with Storage Zone settings. Separately, weak validation in upload/extraction logic can be abused to place executable files into web-accessible paths. Chaining these behaviors enables reliable RCE on affected SZC 5.x systems (¡Ü 5.12.3) until upgraded to 5.12.4.
At the time of writing Arctic Wolf has not observed active exploitation. Threat actors may target this vulnerability due to its high severity (pre-auth RCE chain), widespread internet exposure of SZC deployments, detailed public technical write-up, and the history of mass exploitation of file-transfer platforms by ransomware and data-extortion groups.
Recommendation for CVE-2026-2699 & CVE-2026-2701
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| ShareFile Storage Zones Controller (SZC) 5.x | ¡¤?????? v5.12.3 or below | ¡¤?????? ?or above
¡¤?????? |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
