ShareFile Vulnerabilities Enable Pre-Auth RCE Attacks
▼ Summary
– Two chained vulnerabilities in Progress ShareFile allow unauthenticated attackers to exfiltrate files from affected systems.
– The flaws consist of an authentication bypass (CVE-2026-2699) and a remote code execution bug (CVE-2026-2701) in the Storage Zones Controller.
– Exploitation involves bypassing authentication to access the admin interface and then uploading a webshell to execute commands on the server.
– Progress released a patch for these issues in version 5.12.4 of ShareFile on March 10, 2024.
– Researchers estimate thousands of instances are internet-exposed, urging immediate patching to prevent likely exploitation.
A critical security flaw in a widely used enterprise file transfer platform could allow attackers to steal data without any login credentials. Researchers have identified a chain of two vulnerabilities in Progress ShareFile, a secure document sharing solution for businesses, that enables pre-authentication remote code execution. This combination of flaws allows threat actors to bypass security controls and ultimately exfiltrate files from compromised environments.
The vulnerabilities were discovered by security firm watchTowr in the ShareFile Storage Zones Controller, a component that lets organizations store data on their own infrastructure. The first issue, tracked as CVE-2026-2699, is an authentication bypass flaw. It stems from improper handling of HTTP redirects, which grants unauthorized access to the administrative interface. Once inside, an attacker can manipulate critical configuration settings, including storage paths and security parameters like the zone passphrase.
This initial access sets the stage for the second, more severe vulnerability. Designated as CVE-2026-2701, it is a remote code execution flaw. By abusing file upload functions after bypassing authentication, an attacker can deploy malicious ASPX webshells directly into the application’s webroot. This provides a persistent backdoor for executing commands on the underlying server. The researchers note that while generating valid cryptographic signatures is required, this becomes feasible after exploiting the first vulnerability due to the ability to control passphrase-related secrets.
Enterprise file transfer solutions are a high-value target for cybercriminals, particularly ransomware groups. This pattern has been seen repeatedly in attacks on platforms like Accellion FTA, GoAnywhere MFT, and MOVEit Transfer. The public exposure of these systems is significant. WatchTowr’s scans indicate approximately 30,000 Storage Zone Controller instances are accessible on the public internet, with other organizations like The ShadowServer Foundation observing hundreds of exposed systems, primarily in the United States and Europe.
Progress Software addressed these critical security issues in ShareFile version 5.12.4, released on March 10. The patches followed a responsible disclosure process where watchTowr reported the flaws in early February and confirmed the full exploit chain by mid-month. While there are no confirmed reports of active exploitation in the wild, the public disclosure of this attack chain presents a clear and present danger. Organizations using vulnerable versions of the ShareFile Storage Zones Controller must apply the update immediately to mitigate the risk of data theft and system compromise.
(Source: BleepingComputer)