Progress Software sent an email to every customer running a ShareFile Storage Zone Controller on July 10, 2026, telling them to shut the underlying Windows server down immediately. The message became public only because a customer posted it to Reddit’s r/sysadmin. Progress’s own wording was blunt: “We have reason to believe there is a credible external security threat targeting Progress Software’s ShareFile Storage Zone Controllers.” As a precaution, the company also disabled cloud-side access to ShareFile accounts that use Storage Zone Controllers, and it told customers explicitly that disabling access through the cloud platform is not enough on its own, the on-premises server itself has to be powered off.
What Storage Zone Controller does, and why that makes this different
Storage Zone Controller is the component organisations deploy on their own Windows servers so that files shared through ShareFile physically stay on the company’s own storage, while authentication, sharing links, and collaboration still run through ShareFile’s cloud. It is designed to sit reachable from the internet so remote users and partners can access shared files, which is precisely what makes an unresolved threat against it serious: this is not a background service tucked deep inside a private network, it is an internet-facing file server by design.
Progress has not disclosed what the threat actually is. There is no confirmation yet of a new CVE, no confirmation of a zero-day, and no statement on whether any Storage Zone Controller has actually been compromised. What the company has said is that it found no indication of unauthorized access to ShareFile accounts or data as of its initial statement, and that it is working with external experts to investigate, with an update promised within 24 hours of the disclosure.
This is not Storage Zone Controller’s first serious flaw this year
In April 2026, watchTowr Labs disclosed two chainable vulnerabilities in the same product: CVE-2026-2699, an authentication bypass scoring 9.8, and CVE-2026-2701, a remote code execution flaw scoring 9.1. Chained together, those two bugs let an unauthenticated attacker reach restricted configuration pages and upload a malicious webshell, achieving full remote code execution without any credentials at all. Whether the current threat is a continuation of that same chain, a fresh exploitation of it against organisations that never patched, or something entirely new is exactly the question Progress has not yet answered publicly.
What to do right now if you run Storage Zone Controller
Shut the server down if you have not already, per Progress’s instruction, rather than waiting for more detail. Confirm you are running the patched version from April’s disclosure, and if you are not certain, treat the server as potentially compromised rather than merely at risk. Check logs on the Storage Zone Controller host for anything unusual going back to at least April, since a webshell dropped months ago and left dormant is a realistic scenario given how these chained exploits typically get used. Once Progress publishes a fixed version or a clear all-clear, patch immediately rather than simply restarting the service you were told to shut down.
If you need help assessing whether your Storage Zone Controller deployment was exposed, auditing your on-premises file sharing infrastructure for signs of compromise, or building an incident response plan for exactly this kind of ambiguous vendor warning, contact Excello Digital. We help teams move fast and correctly when a vendor tells you to shut something down and does not yet say why.
