What Progress ordered customers to do
Progress Software told organizations running ShareFile Storage Zone Controllers (SZCs) to manually power off the Windows servers that host the on‑premises component of its enterprise file‑sharing platform. The instruction arrived in an email seen by The Register and, according to customers, was reinforced by direct phone calls from Progress to affected organisations. The vendor said it had already disabled access to ShareFile accounts that rely on Storage Zone Controllers, but warned that disabling access alone was not sufficient to protect data and therefore the physical shutdown was a "critical additional step."
What Progress says about the threat and the investigation
Progress described the problem as a "credible external security threat targeting Progress Software's ShareFile Storage Zone Controllers" and said it was working with internal and external security experts to investigate. In a follow-up notice over the weekend the company offered little additional detail; it said it had "no indication of unauthorized access to any ShareFile customer account or data, and we have not identified any active threat," yet still instructed customers to keep Storage Zone Controllers offline even as cloud services were gradually restored. Progress did not respond to The Register's questions, the report says.
Why Storage Zone Controllers are a high‑risk asset
Storage Zone Controllers let organisations keep files on their own infrastructure while using Progress's cloud platform for authentication and management. Because SZCs "typically sit on internet‑facing Windows servers," Progress and customers regard them as attractive targets if a serious remotely exploitable vulnerability were discovered. The Register notes that Progress patched two critical vulnerabilities in ShareFile Storage Zone Controller v5 months earlier that could be chained into unauthenticated remote code execution, although Progress has not linked the current emergency shutdown to those earlier fixes.
Customer response and speculation
The email and lack of technical detail have fuelled speculation among affected organisations. Customers told The Register that Progress was contacting them directly to reinforce the shutdown instruction. One Progress customer posting on Reddit speculated that the vendor's insistence on a full server shutdown made an "unauthenticated RCE being exploited in the wild" a plausible explanation. Progress has not disclosed whether any customers have been compromised, which software versions are affected, or when administrators can safely power systems back on.
How technologists, procurement leaders, and enterprise admins are responding
- Technologists and security teams: They have been following Progress's instruction to manually power off Storage Zone Controllers and watching for a security advisory or patch from Progress and its external investigators, since the company has asked customers to keep SZCs offline even as some cloud services were restored.
- Procurement leaders and enterprise IT managers: Organisations that run on‑premises SZCs face an immediate operational decision to remove an internet‑facing file‑sharing endpoint from service and to factor the vendor's emergency mitigation into contract and risk assessments, especially given Progress's recent experience handling mass exploitation of MOVEit Transfer during 2023–2024.
- Enterprise administrators: With no timeline from Progress for when systems can be safely powered back on, admins must balance downtime and data availability against the vendor's explicit instruction to keep servers offline as part of containment.
Progress chose a blunt operational mitigation — turning off customer servers — rather than offering a patch or configuration workaround. That decision, coupled with sparse public detail, leaves a narrow set of immediate actions for affected organisations: follow the shutdown instruction, expect direct outreach from Progress, and await definitive guidance from the vendor and its investigators. The Register's report, and Progress's own email, provide the facts organisations must act on now; the unanswered practical questions — which builds or versions are at risk, whether any systems have been breached, and when administrators can restore service — remain in the vendor's hands.




