Progress tells ShareFile customers to pull the plug on Storage Zone Controllers: credible threat, no patch, no CVE      Accenture confirms breach: threat actor 888 claims 35GB including Azure access tokens and source code      Zimbra critical stored XSS: opening a crafted email runs malicious code in the recipient's session      Progress tells ShareFile customers to pull the plug on Storage Zone Controllers: credible threat, no patch, no CVE      Accenture confirms breach: threat actor 888 claims 35GB including Azure access tokens and source code      Zimbra critical stored XSS: opening a crafted email runs malicious code in the recipient's session     
CyberSipTM
Intelligence without the noise
Issue No. 84
July 13, 2026
3 items · past 72h
<5 min read
Weekend picture

Progress Software sent ShareFile customers an urgent email on the evening of July 10 instructing them to immediately shut down every on-premises Storage Zone Controller, citing a credible external security threat with no patch available and no technical details disclosed. Accenture confirmed a breach after threat actor 888 posted a forum listing claiming 35 gigabytes of stolen material from Azure DevOps repositories, including source code, RSA keys, SSH keys, and Azure access tokens. Zimbra disclosed a critical stored cross-site scripting flaw in its Classic Web Client on July 11 that allows a specially crafted email to run malicious JavaScript in the recipient's browser session when the message is opened.

Weekend intelligence
3 items
01 CriticalProgress ShareFileNo Patch
Progress tells ShareFile customers to shut down their servers immediately over a credible threat with no patch, no CVE, and no technical details
The company blocked cloud-side access and then told customers to also manually power down the on-premises Windows servers hosting Storage Zone Controllers. Shutting off cloud access was not considered sufficient on its own.
ProductShareFile Storage
Zone Controller
NotifiedJuly 10, 2026
PatchNone available
CVENot assigned
On the evening of July 10, Progress Software emailed ShareFile customers using Storage Zone Controllers with the subject line "Service Disruption" and a clear instruction: shut down the Windows servers hosting those systems immediately. The company said it had identified a credible external security threat targeting the on-premises controller, had already disabled cloud-side access to affected accounts, and was working with internal and external cybersecurity experts to investigate. Progress explicitly told customers that manually powering down the physical server was a critical additional step beyond the cloud-side block, which suggested the threat could be triggered or persisted even without active cloud connectivity. Progress has not disclosed whether a zero-day vulnerability is involved, whether any Storage Zone Controllers have been compromised, or when customers can safely restart. As of the weekend, the ShareFile status page listed Storage Zone Controller customers as not operational with the investigation still ongoing. Standard cloud-only ShareFile accounts are not affected.
The Storage Zone Controller sits between ShareFile's cloud platform and a company's own storage infrastructure, handling every file upload and download. It typically lives at the network edge with internet exposure, which makes it both useful and a high-value target. An emergency shutdown directive with no patch and no technical explanation leaves organizations without file-sharing services and without a clear timeline for restoration. The instruction to shut down the physical server, not just revoke cloud authentication, is the detail that most clearly signals the severity of the threat Progress has assessed.
This is the third emergency affecting the ShareFile Storage Zone Controller component in three years. In 2023, under Citrix ownership, attackers exploited CVE-2023-24489 for unauthenticated remote code execution and CISA added the flaw to its KEV catalog. In April 2026, watchTowr disclosed two chainable critical vulnerabilities, CVE-2026-2699 and CVE-2026-2701, that allowed unauthenticated attackers to achieve remote code execution and upload webshells. Progress patched those in version 5.12.4 but has explicitly stated that the current July threat is separate from those CVEs. Organizations on the patched version of the 5.x branch should still follow the shutdown directive.
  • Follow Progress's directive and ensure the Windows server hosting your Storage Zone Controller is powered off. Do not assume that cloud-side access revocation alone is sufficient.
  • Review your Storage Zone Controller access logs before shutting down. Look for unfamiliar ASPX files in web folders and storage paths you did not create, and treat a clean-looking server as unconfirmed clean rather than confirmed safe.
  • Monitor the ShareFile status page and Progress's official communications for restoration guidance. Do not restart the controller until Progress provides explicit clearance.
When a vendor tells you to pull the plug on a server rather than just rotate credentials, the threat is not theoretical. Progress has a documented pattern of critical vulnerabilities in this specific component. The absence of technical details is not reassurance. Keep the server off until Progress says otherwise.
02 HighAccentureAzure DevOps
Accenture confirms a breach after threat actor 888 claims 35 gigabytes stolen from Azure DevOps, including source code and Azure access tokens
Accenture acknowledged the incident but said nothing about the scope of what was taken. The claimed haul includes live access credentials. If genuine and not yet rotated, those tokens do not expire with the breach confirmation.
Claimed35GB from Azure
DevOps repos
Actor888
DisclosedJuly 6, 2026
Confirmed byAccenture (July 7)
"isolated matter"
On July 6, threat actor 888 posted a listing on a cybercrime forum claiming to sell 35 gigabytes of data stolen from Accenture in July 2026. The claimed dataset includes source code, RSA keys, SSH keys, Azure Personal Access Tokens, Azure Storage access keys, and configuration files. As supporting evidence, 888 posted a screenshot showing the cloning of an Azure DevOps repository named 121123_AtriasTalentAcademy hosted on an Accenture production domain. Accenture confirmed the incident to multiple outlets on July 7, describing it as an isolated matter that had been remediated at the source, with no impact on operations or service delivery. The company did not confirm or deny the 35-gigabyte figure, the credential types claimed, or whether any client data was involved. The initial access vector has not been disclosed. Researchers noted the presence of .env file references in the sample, which suggested the data may have originated from a developer machine rather than a repository, since .env files are typically excluded from repository uploads.
Accenture provides technology and outsourcing services to a substantial portion of the Fortune 500. If the claimed Azure access tokens were live at the time of theft and have not been rotated, they provide access to build pipelines and cloud storage, not just static code. Azure Personal Access Tokens grant permissions within Azure DevOps environments, and Azure Storage access keys provide read and write access to cloud storage used across projects. The gap between what Accenture confirmed and what 888 claimed is not reassuring: a narrow statement that neither corroborates nor refutes a credential exposure is not the same as confirmation that credentials were revoked.
Threat actor 888 has previously claimed breaches at Decathlon, Credit Suisse, Shell, Heineken, and UNICEF, and attempted to sell alleged Accenture employee data in 2024, which Accenture disputed at the time. The actor's track record means the claim is plausible but not verified. Organizations that share Azure DevOps environments or CI/CD pipelines with Accenture, or whose codebases may intersect with Accenture-managed repositories, should treat this as a trigger for reviewing shared access grants regardless of how Accenture's investigation ultimately resolves.
  • Organizations that share Azure DevOps access, CI/CD pipelines, or cloud storage with Accenture should audit and revoke any Accenture-issued tokens or access grants and verify there has been no unauthorized access to shared environments.
  • If your organization uses Accenture for managed development or cloud services, request a written statement from your account team on whether the incident touched any environment connected to your projects.
Accenture said the source was remediated. It did not say what the source was, what was taken, or whether the Azure tokens it did not mention were rotated. Access tokens do not expire because a company issues a statement. If your environment has a thread to Accenture's Azure DevOps, pull it now.
03 HighZimbraClassic Web Client
Zimbra patches a critical stored XSS flaw that lets a crafted email run malicious code in the recipient's session when opened
No CVE has been assigned yet. The flaw is in the Classic Web Client only. Zimbra is urging immediate updates, and the plain description of the risk, opening an email executes code in your session, leaves little ambiguity about the urgency.
CVENot yet assigned
ComponentClassic Web Client
PatchedJuly 11, 2026
ImpactSession hijacking,
credential theft,
account takeover
Zimbra published an urgent security notice on July 11 describing a stored cross-site scripting vulnerability in the Classic Web Client. A stored XSS flaw means the malicious payload is embedded in content that the server stores and later delivers to users, in this case inside an email. When a recipient opens a message containing the crafted payload, the embedded JavaScript executes inside their authenticated browser session. Zimbra's advisory states that successful exploitation could allow access to mailbox information, session data, and account settings. The broader consequence of session-based JavaScript execution extends to session token theft, which would allow an attacker to hijack the session entirely without needing the user's password. No CVE has been assigned, and no technical details of the payload mechanism have been published. Zimbra is urging all customers running the Classic Web Client to apply the available update immediately.
Zimbra is widely deployed in government, education, and enterprise environments, particularly in regions where on-premises email infrastructure is common. A stored XSS that fires on email open requires no user action beyond reading mail, and because it executes in an authenticated session, the attacker's JavaScript inherits whatever permissions the logged-in user holds. In environments where Zimbra accounts carry administrative access, the blast radius extends beyond individual mailboxes.
Zimbra's Classic Web Client is an older interface that many deployments still run alongside the modern client for compatibility. Environments that have disabled or restricted the Classic Web Client for end users may have reduced exposure, but the flaw is in the server-side rendering path and should be patched regardless. Zimbra vulnerabilities have historically attracted rapid exploitation: a 2023 zero-day in Zimbra's web client was exploited by multiple nation-state actors within days of public disclosure. The absence of a CVE does not indicate low severity here. Zimbra's own language in the advisory makes the urgency explicit.
  • Apply the Zimbra update addressing this stored XSS flaw immediately. Check the Zimbra Security Center for the specific patched version applicable to your deployment.
  • Review Zimbra server logs for unusual session activity, unexpected API calls originating from web client sessions, or administrative actions taken during the period before the patch was applied. A stored XSS that was delivered before patching may have already been triggered.
An email that runs code in your session when you open it. No click required, no attachment, no macro prompt. Stored XSS in a mail client is as close to a passive compromise as phishing gets. Patch Zimbra today.
Cross-source standouts
01
Progress and ShareFile continue a pattern that began before Progress owned the product
The Storage Zone Controller's security history predates Progress Software's ownership, which began in 2024. Under Citrix, the same component was exploited via CVE-2023-24489, which allowed unauthenticated remote code execution and prompted CISA to mandate federal remediation. The April 2026 watchTowr disclosure under Progress ownership produced two more chainable criticals, patched in version 5.12.4. The July 2026 emergency is the third serious incident in three years affecting the same on-premises component. The pattern matters because it is not simply about a specific vulnerability. It reflects the sustained attacker interest in enterprise file transfer infrastructure as a category, which this brief has tracked across MOVEit, GoAnywhere, and now ShareFile across multiple years. The Storage Zone Controller is an internet-exposed gateway to sensitive file stores. That architectural position keeps it in attackers' sights regardless of who owns the product or what patches have been applied.
02
The Accenture breach statement is a template for what a vendor confirmation that confirms nothing looks like
Accenture's statement acknowledged an isolated matter, confirmed remediation of the source, and said there was no impact on operations. It said nothing about what the source was, what data was accessed, whether credentials were revoked, or whether client environments were assessed. That is the minimum statement required to stop the news cycle without providing information useful to defenders. The practical consequence for any organization with a supply chain connection to Accenture is that the statement does not resolve the question of whether credentials or code from a shared environment were in the claimed 35-gigabyte dataset. Vendor breach confirmations structured to minimize disclosure leave downstream supply chain partners holding the uncertainty. Requesting a specific written statement from your account team about shared environment exposure is not an aggressive ask. It is the appropriate due-diligence response when a vendor confirms a breach and declines to characterize it.
Still watching
Days 3–7
Ill Bloom (Issue 83 · crypto wallet weak randomness) — $5M+ confirmed drained. Check addresses at illbloom.org. If your address matches, create a new wallet and transfer funds before doing anything else.
Day 3
GhostLock CVE-2026-43499 (Issue 82 · Linux since 2011) — 97% reliable root, five seconds, escapes containers. Patch from your distribution. Prioritize container hosts, Kubernetes nodes, and CI/CD runners.
Day 4
Ubiquiti UniFi Advisory 066 (Issue 83 · 7 criticals, CVSS 10.0) — no confirmed exploitation yet but same product family had three KEV additions six weeks ago. Update all affected products per the bulletin.
Day 3
Bad Epoll CVE-2026-46242 (Issue 79 · Linux ≥6.4) — 99% reliable local root. Three simultaneous public Linux kernel exploits in circulation. Patch kernels and prioritize cloud VMs and container hosts.
Day 7