01
CriticalProgress ShareFileNo Patch
Progress tells ShareFile customers to shut down their servers immediately over a credible threat with no patch, no CVE, and no technical details
The company blocked cloud-side access and then told customers to also manually power down the on-premises Windows servers hosting Storage Zone Controllers. Shutting off cloud access was not considered sufficient on its own.
ProductShareFile Storage
Zone Controller
Zone Controller
NotifiedJuly 10, 2026
PatchNone available
CVENot assigned
What happened
On the evening of July 10, Progress Software emailed ShareFile customers using Storage Zone Controllers with the subject line "Service Disruption" and a clear instruction: shut down the Windows servers hosting those systems immediately. The company said it had identified a credible external security threat targeting the on-premises controller, had already disabled cloud-side access to affected accounts, and was working with internal and external cybersecurity experts to investigate. Progress explicitly told customers that manually powering down the physical server was a critical additional step beyond the cloud-side block, which suggested the threat could be triggered or persisted even without active cloud connectivity. Progress has not disclosed whether a zero-day vulnerability is involved, whether any Storage Zone Controllers have been compromised, or when customers can safely restart. As of the weekend, the ShareFile status page listed Storage Zone Controller customers as not operational with the investigation still ongoing. Standard cloud-only ShareFile accounts are not affected.
Why it matters
The Storage Zone Controller sits between ShareFile's cloud platform and a company's own storage infrastructure, handling every file upload and download. It typically lives at the network edge with internet exposure, which makes it both useful and a high-value target. An emergency shutdown directive with no patch and no technical explanation leaves organizations without file-sharing services and without a clear timeline for restoration. The instruction to shut down the physical server, not just revoke cloud authentication, is the detail that most clearly signals the severity of the threat Progress has assessed.
Don't miss
This is the third emergency affecting the ShareFile Storage Zone Controller component in three years. In 2023, under Citrix ownership, attackers exploited CVE-2023-24489 for unauthenticated remote code execution and CISA added the flaw to its KEV catalog. In April 2026, watchTowr disclosed two chainable critical vulnerabilities, CVE-2026-2699 and CVE-2026-2701, that allowed unauthenticated attackers to achieve remote code execution and upload webshells. Progress patched those in version 5.12.4 but has explicitly stated that the current July threat is separate from those CVEs. Organizations on the patched version of the 5.x branch should still follow the shutdown directive.
Potential actions
- Follow Progress's directive and ensure the Windows server hosting your Storage Zone Controller is powered off. Do not assume that cloud-side access revocation alone is sufficient.
- Review your Storage Zone Controller access logs before shutting down. Look for unfamiliar ASPX files in web folders and storage paths you did not create, and treat a clean-looking server as unconfirmed clean rather than confirmed safe.
- Monitor the ShareFile status page and Progress's official communications for restoration guidance. Do not restart the controller until Progress provides explicit clearance.
The Sip
When a vendor tells you to pull the plug on a server rather than just rotate credentials, the threat is not theoretical. Progress has a documented pattern of critical vulnerabilities in this specific component. The absence of technical details is not reassurance. Keep the server off until Progress says otherwise.