Key Takeaways
- Progress Software issued an urgent alert on July 10 concerning a “credible external security threat” to on‑premises ShareFile Storage Zone Controllers (SZCs).
- Customers were instructed to shut down the servers hosting their SZCs and to keep them disabled while the investigation proceeds.
- As of the latest update, Progress Software states there is no evidence of unauthorized access to ShareFile accounts or data, but the service remains non‑operational for affected customers.
- The company is working with internal and external cyber‑security experts and is gradually restoring access, advising customers to keep SZCs offline until the threat is fully understood.
- Speculation in technical forums points to a possible chain of two recently disclosed vulnerabilities (CVE‑2026‑2699 and CVE‑2026‑2701) enabling pre‑authentication remote code execution on unpatched SZC deployments.
- Progress promises regular updates and encourages customers to monitor the ShareFile Status Page and official Knowledge Base articles for the latest information.
Background on ShareFile Storage Zone Controllers
ShareFile, a file‑sharing and collaboration platform owned by Progress Software, offers both cloud‑hosted and on‑premises deployment options. Organizations that choose the on‑premises route install Storage Zone Controllers (SZCs) on servers they manage themselves. These controllers act as gateways that store, encrypt, and serve files shared through ShareFile while keeping the data within the customer’s own infrastructure. Because SZCs sit at the trust boundary between the internal network and the ShareFile service, they are a high‑value target for attackers seeking to compromise sensitive corporate documents.
The July 10 Security Alert
On July 10, Progress Software sent an email to all ShareFile customers notifying them of a “credible external security threat” targeting the on‑premises SZC components. The message characterized the situation as critical and urged recipients to take immediate action: manually power down or disconnect the server hosting their SZC. The email emphasized that this step was a precautionary measure designed to protect customer data while the company investigated the nature and scope of the threat. Progress also pledged to provide regular updates as the situation evolved.
Immediate Customer Response Instructions
The alert directed customers to shut down the SZC‑hosting server and to keep it offline until further notice. Progress clarified that simply disabling the ShareFile web portal or user accounts would not suffice; the physical or virtual machine running the SZC must be halted to prevent any potential exploitation. The company warned that leaving the controller active could expose stored files to unauthorized access, data exfiltration, or ransomware deployment, depending on the attacker’s objectives.
Status Page and Knowledge Base Updates
Following the alert, the ShareFile Status Page continued to display the July 10 notice, indicating that “ShareFile customers with Storage Zone Controllers are not operational at this time.” A Knowledge Base article published on July 11 reinforced that, despite the ongoing investigation, Progress Software had “no indication of unauthorized access to any Progress ShareFile Accounts or data.” The article also reminded customers to retain the SZC in a powered‑off state and to monitor official channels for any changes in the recommended mitigation steps.
Community Reaction and Information Gaps
Discussions on platforms such as the Sysadmin subreddit revealed frustration among administrators who felt that Progress’s subsequent communications offered little new detail beyond the initial warning. Participants complained that the lack of specific technical information made it difficult to assess risk accurately or to prioritize internal remediation efforts. Some users requested clarification on whether the threat was limited to certain SZC versions, configurations, or geographic regions, but Progress had not yet released such granularity in its public statements.
Gradual Restoration of Access
Despite the ongoing investigation, Progress Software reported that it had begun to restore access to affected ShareFile accounts. The restoration process appears to be phased, with the company cautiously bringing services back online while verifying that the underlying threat has been neutralized. Importantly, Progress continues to advise customers to keep their SZC servers disabled until the investigation concludes, suggesting that the restoration pertains primarily to cloud‑based ShareFile functionalities that do not rely on the on‑premises controller.
Official Stance on Data Compromise
Throughout its communications, Progress Software has maintained that there is currently no evidence of unauthorized access to ShareFile accounts or the data stored within them. The company stresses that its assessment is based on ongoing forensic analysis, log reviews, and collaboration with external cyber‑security experts. This assertion aims to reassure customers that, while service disruption is real, the confidentiality and integrity of their files appear to remain intact—pending the final outcome of the investigation.
Speculated Vulnerability Chain
In the absence of an official root‑cause disclosure, security researchers and forum participants have hypothesised that attackers may have exploited a combination of two recently disclosed vulnerabilities: CVE‑2026‑2699 and CVE‑2026‑2701. Both flaws affect the ShareFile Storage Zone Controller software and, when chained, could enable pre‑authentication remote code execution (RCE) on unpatched installations. If successfully exploited, such an RCE would allow an attacker to execute arbitrary commands on the SZC server, potentially leading to data theft, persistence, or lateral movement within the victim’s network. Progress has not confirmed or denied this theory, noting that the investigation is still underway.
Collaboration with Security Experts
Progress Software indicated that it is working closely with both internal security teams and external third‑party specialists to evaluate the threat. This collaboration likely involves malware analysis, network traffic inspection, and code review of the SZC components to identify any signs of compromise or malicious activity. By leveraging external expertise, the company aims to accelerate the identification of the attack vector, develop appropriate patches or mitigations, and provide customers with concrete guidance on securing their environments.
Recommendations for Affected Organizations
Until Progress issues a definitive all‑clear, organizations using on‑premises ShareFile Storage Zone Controllers should adhere to the following best practices:
- Keep SZC servers powered off or isolated from the network as instructed.
- Monitor official channels (ShareFile Status Page, Knowledge Base, and direct communications from Progress) for updates.
- Review internal logs for any anomalous activity preceding the July 10 alert, focusing on authentication attempts, unexpected process executions, or outbound connections from the SZC host.
- Prepare for patching – once Progress releases a security advisory or patch, apply it promptly before re‑enabling the SZC.
- Consider temporary cloud‑only usage – if business continuity requires file sharing, customers may rely solely on the cloud‑hosted ShareFile service while their on‑premises controllers remain offline.
- Engage internal or external incident‑response teams to conduct a thorough assessment of any potential exposure, even though Progress has stated no evidence of data breach thus far.
Conclusion
The July 10 alert from Progress Software underscores the heightened risk associated with on‑premises components of widely used SaaS platforms. While the company has not confirmed data loss or unauthorized access, the precautionary shutdown of Storage Zone Controllers reflects a serious stance toward protecting customer information. Ongoing investigation, collaboration with security experts, and gradual service restoration indicate a measured response. Affected customers should remain vigilant, follow prescribed mitigation steps, and await further technical details from Progress before returning their SZC servers to operation. Until then, maintaining the controllers in an offline state remains the safest course to safeguard shared files and broader network integrity.

