Progress Software has issued a critical advisory urging administrators of on-premises ShareFile Storage Zone Controllers to immediately shut down their servers. This precautionary measure comes amidst a credible security threat to the platform, necessitating urgent action to protect sensitive data.
Immediate Precautionary Actions
The advisory, which was sent directly to customers, emphasizes that there is currently no evidence of unauthorized access to ShareFile accounts or data. Despite this, Progress is proactively working with cybersecurity experts to evaluate the threat. Administrators are instructed to manually power down their servers, as account access through the affected Storage Zone Controllers has already been suspended by the company.
Ongoing Threat Assessment
Progress Software expects to provide updates within the next 24 hours, underscoring that the shutdown is a cautionary step rather than a response to confirmed breaches. Details regarding the nature of the threat remain undisclosed, raising speculation about potential new zero-day vulnerabilities or exploitation attempts targeting the Storage Zone Controller infrastructure.
This precaution is especially pertinent given past vulnerabilities. In April 2026, two significant vulnerabilities were identified by watchTowr Labs, namely CVE-2026-2699 and CVE-2026-2701, which allowed attackers to exploit the system and execute remote code without authentication.
Historical Context and Future Outlook
The vulnerabilities previously found in ShareFile’s architecture led to widespread exposure, with nearly 784 instances identified by the Shadowserver Foundation as accessible online, and a broader scan finding almost 30,000 instances. Despite patches being issued in version 5.12.4 and the unaffected newer 6.x branch built on .NET Core, the platform’s history of critical security flaws necessitates vigilance.
In light of these developments, security teams are advised to isolate internet-facing instances of Storage Zone Controllers and stay alert for further instructions from Progress. Ensuring the protection of data remains a top priority as the situation develops.
