Secure Cyber Blog

Progress ShareFile Storage Zone Controller: Emergency Shutdown Ordered Amid Active Security Threat

Written by Secure Cyber | Jul 10, 2026 9:11:27 PM

Security Advisory — July 10, 2026

Quick summary: Progress Software is telling every customer running a ShareFile Storage Zone Controller to power down the server immediately. The company says it has identified a credible external security threat against the product and is taking systems offline as a precaution while it investigates. If your organization runs one of these controllers, treat this as urgent.

What happened

Progress Software has emailed customers who run ShareFile Storage Zone Controllers, instructing them to shut down the underlying Windows servers right away. The company has confirmed it is responding to what it describes as a credible external security threat targeting the product.

Two things are happening at once. First, Progress has already disabled cloud-side access for every account tied to a Storage Zone Controller. Second — and this is the part that requires action on your end — Progress is separately asking customers to manually power down the physical or virtual server hosting the controller software itself. Disabling cloud access alone is apparently not considered sufficient protection.

Progress says that, as of now, it has no evidence of unauthorized access to any customer accounts or data. The company frames the shutdown as a precautionary step taken while its internal team and outside security experts investigate, and has indicated further updates should follow within roughly a day.

Who this affects

This advisory is specific to organizations running a Storage Zone Controller — the self-managed component that lets a company keep files on its own storage while still using ShareFile's cloud platform for authentication, sharing, and collaboration. If your organization only uses ShareFile as a standard cloud-hosted service, with no on-premises controller, this incident does not apply to you.

By design, Storage Zone Controllers typically sit at the edge of a network and are reachable from the public internet, so files can move between the cloud platform and an organization's own storage. That same design is what makes the controller a meaningful target. When researchers examined this exposure earlier in 2026, they estimated tens of thousands of these controllers were reachable from the internet at that time.

What Progress hasn't said

As of this writing, Progress has not disclosed the technical nature of the threat, who may be behind it, or whether any individual customer's controller has actually been breached.

It's worth reading between the lines a little. When a vendor already has a fix ready, the usual guidance is simply "apply the patch." Ordering a full, manual shutdown instead suggests Progress doesn't have one yet — consistent with a newly discovered issue the company is racing to close, though it would also fit a threat a patch alone couldn't solve, such as stolen credentials.

This isn't the product's first brush with trouble

Storage Zone Controllers — and Progress more broadly — have a track record worth knowing about:

  • 2023: While ShareFile still belonged to Citrix, attackers actively exploited an unauthenticated vulnerability in this same Storage Zones Controller product (CVE-2023-24489). CISA added it to its Known Exploited Vulnerabilities catalog, and the vendor's response then looked a lot like Progress's response now: cutting affected controllers off from the cloud.
  • Earlier in 2026: Researchers disclosed a chain of two flaws in Storage Zones Controller 5.x — an authentication bypass (CVE-2026-2699) paired with a remote-code-execution bug (CVE-2026-2701) — together capable of letting an attacker plant a web shell on an internet-facing server without ever logging in. Progress had already shipped fixes in version 5.12.4 by the time this research went public, and version 6.x was never affected. Progress hasn't linked today's threat to that earlier chain, and neither flaw was ever reported as actively exploited — but the pattern of attacker interest in this product line is hard to ignore.
  • MOVEit: Progress is also the company behind MOVEit Transfer, whose 2023 zero-day was mass-exploited by the Clop ransomware group and ultimately touched more than 2,700 organizations worldwide.

None of this confirms today's threat is connected to anything above. But it's part of why security teams are taking this warning seriously even before technical details emerge.

What to do right now

  • Power it down. If you run a Storage Zone Controller, take it offline now. Don't wait for a fuller technical writeup before acting on the shutdown order itself.
  • Check your version regardless. Confirm you're on 5.12.4 or later on the 5.x line, or any 6.x release. This closes the previously known flaws from earlier this year — but Progress has not said it addresses the current threat, so an up-to-date version is not a green light to bring the server back online.
  • Treat an internet-facing controller as a possible incident, not just a precaution. If your instance was reachable from outside your network, preserve logs and begin your incident response process now.
  • Look for signs of tampering. Check web-accessible folders for unfamiliar .aspx files, and review storage paths for anything you didn't put there. A server that looks normal isn't the same as one that's confirmed clean.
  • Wait for official word before restarting. Keep the controller offline until Progress clarifies what the threat actually is and confirms it's safe to bring systems back online.

If you need help

Figuring out whether an internet-facing system has actually been compromised — quickly, under pressure, and without destroying evidence in the process — is exactly what an incident response team is for. If your organization runs a ShareFile Storage Zone Controller and you'd like a second set of expert eyes on your environment, or you suspect something may already be wrong, SecureCyber's SOC is available now.

Call the SecureCyber SOC: 937-388-4405

This advisory reflects Progress's communications to customers and public reporting on this incident as of July 10, 2026. Details are still developing — confirm the latest guidance directly with Progress before making decisions about your environment.

Sources:

https://thehackernews.com/2026/07/urgent-progress-tells-sharefile.html
Viewed Jul 10 2026 17:05PM EDT

https://www.bleepingcomputer.com/news/security/progress-urges-sharefile-customers-to-shut-down-servers-over-credible-threat/
Viewed Jul 10 2025 17:05PM EDT

https://status.sharefile.com/incidents/c59n5343lbkq
Viewed Jul 10 2025 17:05PM EDT