Progress Software has confirmed that a high-severity path traversal zero-day in ShareFile Storage Zone Controllers is behind last week's emergency server-shutdown order, and it has now shipped a patch. The flaw affects every 5.x and 6.x version of the on-premises controller and lets an authenticated administrative user read arbitrary files, write attacker-controlled content into arbitrary directories, or map out the server filesystem. Progress disclosed the confirmation this week, days after telling customers to physically pull the plug on their servers over a "credible external security threat." Our read: this is MOVEit deja vu, and any controller that sat internet-facing and unpatched should be treated as compromised.
- The zero-day is a high-severity path traversal hitting all ShareFile Storage Zone Controller 5.x and 6.x builds; Progress has released updates to fix it.
- Only the hybrid, customer-managed Storage Zone Controller deployment is affected. Standard cloud-only ShareFile accounts were never at risk.
- Internet-exposed controllers collapsed from roughly 30,000 in April to about 1,000 after the shutdown order, per watchTowr honeypot tracking.
- Progress is holding the CVE number for about two weeks, and ransomware researchers already suspect the Clop extortion crew.
What did Progress actually confirm?
After a week of telling customers only that it was responding to a "credible external security threat," Progress named the cause: a high-severity path traversal vulnerability in the ShareFile Storage Zone Controller, present in every 5.x and 6.x version. Path traversal means an attacker can escape the directory the application is supposed to confine them to and reach files elsewhere on the disk. In Progress's own description, an authenticated administrative user can read any file the ShareFile service account can touch, write attacker-controlled content into arbitrary directories, and enumerate the server's filesystem layout. Writing files to arbitrary locations on a Windows service is frequently a stepping stone to code execution, which is why Progress treated a "read-and-write" bug as an all-hands emergency rather than a routine patch.
RelatedOpenAI Mandates Hardware Passkeys for Cyber Access
Why did Progress tell customers to shut down servers?
Because Storage Zone Controllers are exactly the kind of target extortion crews hunt. They are customer-managed Windows servers that keep files on-premises while ShareFile's cloud handles authentication, permissions, and auditing, so they physically hold the data being shared and they are usually internet-reachable to move files between cloud and local storage. That makes them a data-theft jackpot. When Progress got a credible warning of exploitation with no patch in hand, the only way to stop data walking out the door was to take the servers offline entirely. The email was blunt: it demanded immediate manual shutdown of the hosting server as a "critical additional step to ensure the safety of your data." Only the hybrid Storage Zone Controller deployment was affected; cloud-only ShareFile accounts kept running.
How did the incident unfold?
- Feb 2026Progress patches an earlier critical chain, CVE-2026-2699 (CVSS 9.9) and CVE-2026-2701 (CVSS 9.1) Fix: update to 5.12.4 or any v6
- Jul 11Progress emails customers "IMMEDIATE ACTION REQUIRED," urges manual server shutdown, disables Storage Zone Controller account access Cited a credible external threat, no patch yet
- Jul 12Cloud access restored by 5pm ET, but controllers must stay powered off Exposure already down to ~1,000
- Jul 14Progress confirms the high-severity path traversal zero-day and ships a patch CVE number held ~2 weeks
- ~Jul 28Expected public CVE disclosure and full technical details Clop attribution still unconfirmed
How does this compare to Progress's past breaches?
Progress has been here before, and the pattern is uncomfortably consistent: file-transfer software, a zero-day, and the Clop extortion group circling.
| Incident | ShareFile zero-day | ShareFile Feb CVEs | MOVEit Transfer |
|---|---|---|---|
| When | Jul 2026 | Feb 2026 | 2023 |
| Flaw type | Path traversal (0-day) | Auth bypass + upload | SQL injection (0-day) |
| Patch at disclosure | Yes, now shipped | Yes | Emergency |
| Suspected actor | Clop (unconfirmed) | None named | Clop (confirmed) |
| Scale | ~30,000 exposed | Limited | 2,700+ orgs breached |
What should ShareFile admins do now?
Patch, then verify, then assume-breach. Apply Progress's new Storage Zone Controller update before bringing any server back online, because a controller that was exposed during the window may already have been touched. Keep the management surface off the public internet; a file server that must be reachable should sit behind a VPN or tight allow-list, not open to the world. Then hunt: review the box for unexpected files written to odd directories (the exact capability this flaw grants), unfamiliar accounts, and outbound connections, and rotate any credentials the service account could reach. If you also skipped February's updates, install those too, because the auth-bypass chain from CVE-2026-2699 and CVE-2026-2701 is a separate, equally critical problem.
RelatedThree FortiSandbox CVEs Hit by AI-Generated Exploits
- The withheld CVE. Progress is holding the number and details for about two weeks; the technical write-up will show how close this gets to remote code execution.
- Clop. Whether the group adds ShareFile victims to its leak site, the MOVEit playbook that turned a file-transfer bug into thousands of breaches.
- CISA KEV. Whether the flaw lands on the Known Exploited Vulnerabilities catalog with a federal remediation deadline.
- Rebuild guidance. Whether Progress tells exposed customers to patch-and-trust or fully rebuild controllers.
Our take
The playbook here is almost word-for-word the MOVEit crisis that consumed Progress across 2023 and 2024: a zero-day in internet-facing file-transfer software, an emergency response, and Clop's name in the air before a single victim is confirmed. Recorded Future's Allan Liska summed up the industry reflex, saying the incident "smells like CL0P ransomware group activity." That lineage is why the shutdown order, drastic as it looked, was the right call. Progress could not patch fast enough to protect the data, so it protected the data by turning the servers off, and customers complied at a scale that dropped exposure by roughly 97 percent in days. The broader lesson has not changed since MOVEit: managed file-transfer appliances concentrate an entire organization's sensitive documents behind software that is patched on the vendor's cadence, which makes them the highest-value, softest targets in the enterprise. If you run one, the safe assumption is not "am I patched" but "was I exposed before I patched," and to hunt accordingly.
- OfficialProgress Trust Center advisories ShareFile Storage Zone Controller updates and guidance
- ResearchwatchTowr Labs exposure tracking and zero-day exploitation indicators
- KEVCISA Known Exploited Vulnerabilities federal remediation deadlines
- ContextGenZTech CVE watchlist what is actively exploited right now
Original analysis by GenZTech. Reporting informed by BleepingComputer.
