Critical Vulnerabilities in Progress ShareFile (CVE-2026-2699, CVE-2026-2701)

Executive Summary

On April 2^nd, 2026, the cyber security research company watchTowr publicly disclosed a proof-of-concept exploit for two critical vulnerabilities (CVE-2026-2699 and CVE-2026-2701) affecting Progress ShareFile. When chained together, these vulnerabilities allow an unauthenticated attacker to bypass authentication and achieve remote code execution (RCE) on targeted systems.

Although Progress Software has not confirmed active exploitation at the time of this writing, watchTowr has released exploit code including an in-depth analysis of the vulnerabilities and exploit chain. Because ShareFile Storage is commonly used to manage and store sensitive enterprise data, the software is particularly attractive to threat actors with similar platforms having a long history of being targeted.

Given the public disclosure of exploit code and sensitive data hosted in these systems, Beazley Security suspects exploitation attempts will begin soon and recommends organizations patch affected systems immediately.

Affected Systems or Products

Product	Affected Versions	Fixed Version
ShareFile Storage Zones Controller 5x	5.x prior to 5.12.4	5.12.4

Mitigations / Workarounds

Given the recent exploit disclosure by WatchTowr, it is strongly recommended that affected organizations upgrade to fixed versions of the ShareFile Storage software. Progress ShareFile has released patches to remediate these vulnerabilities. Please see the “Patches” section for more information.

If patching cannot be immediately applied, these mitigations may help temporarily reduce risk of compromise:

Restrict network access to the Storage Zones Controller to trusted and expected B2B traffic only.
Implement a Web Application Firewall (WAF) to detect and block malicious requests to the /ConfigService/Admin.aspx endpoint.
Ensure modern EDR is running and up to date on the affected hosting server.

Patches

Patches have been made available by Progress ShareFile via their documentation website. Affected customers on versions of the 5.x branch should upgrade to 5.12.4 or migrate to supported 6.x releases. Technical support is available to customers under active warranty and maintenance.

Indicators of Compromise

At the time of this writing, Progress Software confirmed they’ve not had reports of these vulnerabilities exploited in the wild. However, watchTowr Labs publicly disclosed a full exploit chain and working proof of concept as of April 2, 2026.

Defenders can watch for the following behavioral indicators of attack:

Monitor for suspicious access attempts to /ConfigService/Admin.aspx, especially requests that return HTTP 302 responses with very large response bodies.
Review ShareFile Storage Zone configurations for unauthorized or unexpected changes to Storage Repositories, which could indicate post exploitation activity.
Audit webroot directories such as c:\inetpub\wwwroot\ShareFile\StorageCenter\ for unexpected .aspx files, which may be an indicator of a webshell deployment.

Technical Details

According to research from watchTowr, the unauthenticated RCE exploit chain involves two vulnerabilities: CVE-2026-2699, an authentication bypass, and CVE-2026-2701, which enables RCE through an arbitrary file upload within the ShareFile Storage Zone Controller.

The full exploitation process is more involved, and watchTower provides a detailed technical write-up of how the vulnerabilities were identified and chained together. A simplified summary is provided below:

CVE-2026-2699 – Authentication Bypass

A flaw exists due to how the application handles unauthenticated requests in its admin page (/ConfigService/Admin.aspx). When a user who is not logged in accesses this page, the application attempts to redirect them away. In this case, the redirect is implemented in a way that the server still provides the rest of the admin page in its redirect response. An attacker can force the application to ignore the redirect behavior, allowing the full admin interface to load without authentication.

CVE-2026-2701 – Post Authentication Remote Code Execution

After bypassing authentication with CVE-2026-2699, an attacker can access admin interfaces and modify network storage locations, including pointing to local filesystem and web accessible directories on the controller. The /StorageCenter/Upload.aspx endpoint can then be used to upload and extract zipped archives. When these issues are combined, a malicious .aspx webshell can be uploaded and then extracted to an exposed repository location reachable over HTTP to execute commands resulting in RCE.

In summary, CVE-2026-2699 allows attackers to bypass authentication and access the ShareFile admin interface, while CVE-2026-2701 can then be used to upload and execute malicious files on the server resulting in RCE and compromise of the server.

How Beazley Security is responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Appendix

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team