New Progress ShareFile Flaws Can Be Chained in Pre-Auth RCE Attacks

The discovery of pre‑authentication remote code execution (RCE) chains in Progress ShareFile reflects a broader trend of supply‑chain style attacks on file‑transfer platforms. Over the past year, vulnerabilities in Accellion FTA, MOVEit Transfer, and other managed file transfer solutions have been weaponized by ransomware groups to harvest sensitive data before encrypting it. By chaining an authentication bypass with a server‑side code execution flaw, attackers can bypass traditional perimeter defenses and gain direct access to corporate repositories, amplifying the potential impact of a breach.

Technically, CVE‑2026‑2699 exploits improper handling of HTTP redirects within the SZC component, granting unauthenticated users access to the administrative console. Once inside, the attacker can manipulate storage zone configurations, including passphrase values that protect encrypted data. CVE‑2026‑2701 builds on this foothold by abusing the file‑upload and extraction workflow to plant malicious ASPX webshells, achieving full RCE on the underlying web server. WatchTowr’s scans identified roughly 30,000 SZC instances exposed on the public internet, with 700 actively monitored by the ShadowServer Foundation, underscoring the attack surface’s breadth.

For enterprises, the immediate priority is to apply the vendor‑issued patch in ShareFile 5.12.4, which addresses both CVEs. Organizations should also audit external exposure of SZC endpoints, enforce strict network segmentation, and rotate any compromised passphrases or encryption keys. Continuous monitoring for anomalous file‑upload activity and the presence of webshell signatures can provide early detection. As attackers increasingly chain multiple flaws to bypass authentication, a proactive vulnerability management program becomes a critical line of defense against the next wave of file‑transfer exploits.