preloader

· security digital-security devops supply-chain europe incident-response enterprise-software

Progress Tells Every ShareFile Storage Zone Controller Customer to Shut Down Now, Cause Undisclosed

Source: BleepingComputer / The Hacker News

Progress Software sent an email to every customer running a ShareFile Storage Zone Controller on July 10, 2026, telling them to shut the underlying Windows server down immediately. The message became public only because a customer posted it to Reddit’s r/sysadmin. Progress’s own wording was blunt: “We have reason to believe there is a credible external security threat targeting Progress Software’s ShareFile Storage Zone Controllers.” As a precaution, the company also disabled cloud-side access to ShareFile accounts that use Storage Zone Controllers, and it told customers explicitly that disabling access through the cloud platform is not enough on its own, the on-premises server itself has to be powered off.

What Storage Zone Controller does, and why that makes this different

Storage Zone Controller is the component organisations deploy on their own Windows servers so that files shared through ShareFile physically stay on the company’s own storage, while authentication, sharing links, and collaboration still run through ShareFile’s cloud. It is designed to sit reachable from the internet so remote users and partners can access shared files, which is precisely what makes an unresolved threat against it serious: this is not a background service tucked deep inside a private network, it is an internet-facing file server by design.

Progress has not disclosed what the threat actually is. There is no confirmation yet of a new CVE, no confirmation of a zero-day, and no statement on whether any Storage Zone Controller has actually been compromised. What the company has said is that it found no indication of unauthorized access to ShareFile accounts or data as of its initial statement, and that it is working with external experts to investigate, with an update promised within 24 hours of the disclosure.

This is not Storage Zone Controller’s first serious flaw this year

In April 2026, watchTowr Labs disclosed two chainable vulnerabilities in the same product: CVE-2026-2699, an authentication bypass scoring 9.8, and CVE-2026-2701, a remote code execution flaw scoring 9.1. Chained together, those two bugs let an unauthenticated attacker reach restricted configuration pages and upload a malicious webshell, achieving full remote code execution without any credentials at all. Whether the current threat is a continuation of that same chain, a fresh exploitation of it against organisations that never patched, or something entirely new is exactly the question Progress has not yet answered publicly.

What to do right now if you run Storage Zone Controller

Shut the server down if you have not already, per Progress’s instruction, rather than waiting for more detail. Confirm you are running the patched version from April’s disclosure, and if you are not certain, treat the server as potentially compromised rather than merely at risk. Check logs on the Storage Zone Controller host for anything unusual going back to at least April, since a webshell dropped months ago and left dormant is a realistic scenario given how these chained exploits typically get used. Once Progress publishes a fixed version or a clear all-clear, patch immediately rather than simply restarting the service you were told to shut down.

If you need help assessing whether your Storage Zone Controller deployment was exposed, auditing your on-premises file sharing infrastructure for signs of compromise, or building an incident response plan for exactly this kind of ambiguous vendor warning, contact Excello Digital. We help teams move fast and correctly when a vendor tells you to shut something down and does not yet say why.

These news items are automatically aggregated from industry sources and are not individually reviewed. Any inaccuracies are unintentional — let us know and we'll correct or remove it.

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!