On 10 March 2026, Progress ShareFile released fixes for two critical severity vulnerabilities in Progress ShareFile Storage Zones Controller (SZC) 5.x, tracked as CVE-2026-2699 and CVE-2026-2701. The first flaw arises from an authentication bypass due to improper redirect/session handling (Execution After Redirect) in /ConfigService/Admin.aspx that allows a remote unauthenticated threat actor to access restricted administrative functions, modify zone configuration, and set conditions enabling subsequent code execution. When paired with CVE-2026-2701 (arbitrary file upload/unzip to webroot), the weaknesses enable pre-authentication remote code execution (RCE). These issues were first publicly disclosed on 2 April 2026 by watchTowr Labs following coordinated disclosure with Progress.
Technical details describe how a redirect that does not terminate execution can expose admin functionality to unauthenticated users, who can then tamper with Storage Zone settings. Separately, weak validation in upload/extraction logic can be abused to place executable files into web-accessible paths. Chaining these behaviors enables reliable RCE on affected SZC 5.x systems (≤ 5.12.3) until upgraded to 5.12.4.
At the time of writing Arctic Wolf has not observed active exploitation. Threat actors may target this vulnerability due to its high severity (pre-auth RCE chain), widespread internet exposure of SZC deployments, detailed public technical write-up, and the history of mass exploitation of file-transfer platforms by ransomware and data-extortion groups.
Recommendation for CVE-2026-2699 & CVE-2026-2701
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| ShareFile Storage Zones Controller (SZC) 5.x | · v5.12.3 or below | · v5.12.4 or above |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
