Skip to main content
Emerging Threats

Progress Confirms Zero-Day Flaw Behind ShareFile Shutdown

Server room interior with rows of racks and one empty storage bay centered.

"An authenticated administrative user can read arbitrary files accessible to the application's service account, write threat actor-controlled content to arbitrary directories or enumerate the server filesystem layout," reads an email seen by BleepingComputer.

Progress Software's emergency shutdown and customer advisory

Progress Software told customers to immediately shut down ShareFile Storage Zone Controller Windows servers after receiving a warning of a "credible external security threat." The company temporarily disabled access to all ShareFile accounts that use Storage Zone Controllers while it investigated the incident with cybersecurity experts.

In an update sent to customers, Progress confirmed the emergency action followed discovery of a high-severity zero-day vulnerability in the Storage Zone Controller product line and released security updates to address the flaw.

Technical detail: a path traversal issue in 5.x and 6.x

Progress's investigation identified a high-severity path traversal vulnerability that affects "all 5.x and 6.x versions" of the ShareFile Storage Zone Controller. The company's customer-facing email — quoted above and reviewed by BleepingComputer — describes the impact: an authenticated administrative user could read arbitrary files accessible to the application's service account, write attacker-controlled content into arbitrary directories, or enumerate the server filesystem layout.

Progress says a CVE identifier has been reserved for the vulnerability and that the CVE will be published in two weeks.

Patches issued: versions 5.12.5 and 6.0.2 and next steps for administrators

To remediate the vulnerability, Progress released ShareFile Storage Zone Controller versions 5.12.5 and 6.0.2 and urged all customers to install the updates "as soon as possible." Progress advised that once the security updates are applied, Storage Zone Controllers can be brought back online.

Alongside the patches, Progress stated it has "no indication of unauthorized access to any ShareFile customer account or data, and we have not identified any active threat." That statement accompanies the company's note that it received "information from a credible source" about a potential threat targeting ShareFile customers.

Why Storage Zone Controllers matter to organizations and attackers

Storage Zone Controllers are customer-managed Windows servers that let organizations keep files on-premises while still using ShareFile's cloud platform for authentication, permissions, auditing, and collaboration. Because they contain the files transferred through the system, Progress and reporting outlets note they are a valuable target for extortion gangs in data-theft attacks.

The combination of on-prem data storage and cloud control functions places Storage Zone Controllers at the center of both operational continuity and data-protection risk — which explains why Progress moved quickly to disable affected accounts and push updates.

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams: Install the released patches (5.12.5 or 6.0.2) immediately and only bring Storage Zone Controllers back online after updates are applied, per Progress's guidance.
  • Procurement and IT leadership: Note that Storage Zone Controllers are customer-managed Windows servers that hold on-premises files while integrating with ShareFile's cloud services; that architecture can concentrate risk and should inform inventory, patching cadence, and contractual requirements for notification and support.
  • End users and enterprise customers: Organizations that experienced the temporary disabling of ShareFile accounts using Storage Zone Controllers may have faced interrupted access while Progress investigated; administrators remain the primary actors who must apply the patch and restore services.

BleepingComputer's outstanding queries to Progress

BleepingComputer has asked Progress whether the vulnerability was discovered internally or by an external researcher, why the CVE publication is being delayed for two weeks, and whether additional technical details will be released. The outlet said it will update the story if Progress responds to those questions.

The company’s swift patch and the reserved CVE provide immediate remedial steps and a timeline for public disclosure, but officials and administrators will be watching for the published CVE and any further technical detail that could inform detection and post-compromise assessments.

Original reporting: BleepingComputer — Progress confirms ShareFile zero-day flaw behind Storage Zone shutdown