"We are responding to a 'credible external security threat,'" Progress Software told The Hacker News, advising ShareFile customers to shut down Windows servers running their Storage Zone Controllers.
Progress Software's shutdown order and immediate response
Progress told customers to take the Storage Zone Controller (SZC) servers offline and temporarily disabled access to the affected accounts, a move the company said it took "out of an abundance of caution" while working with internal and external security experts. Progress also stated it has "no indication of unauthorized access to any ShareFile accounts or data" and that it notified customers after learning of the threat. The company has not said what the threat is or who is behind it.
How the disruption became public and how Progress is communicating
The order surfaced publicly when a customer posted Progress's email to Reddit's r/sysadmin on July 10. Progress confirmed the disruption on its status page, listing Storage Zone Controller customers as "not operational" and the incident as under investigation in a 12:12 p.m. EDT update. Progress's messaging so far is limited to advising shutdown, describing the threat as credible, and stressing caution; it has not provided a technical explanation or a timeline for when controllers can return to service.
What the Storage Zone Controller is, and why it matters
The Storage Zone Controller is a server that a company runs itself so files can remain on its own storage while the organization uses ShareFile's cloud to share and manage them. The controller typically "sits at the network's edge, reachable from the internet." That exposure is what makes the controller useful—and why it is an attractive target. Progress's instruction to take SZCs fully offline, rather than directing customers to apply a patch, is notable: "that choice is itself a tell." The source explains this usually means no fix is yet available, though the same action would also fit a threat a patch cannot address, such as stolen keys or a problem on Progress's own side.
Versions, checks, and immediate technical steps for operators
- Confirm software versions: Progress advised customers separately to confirm they are running 5.12.4 or later on the 5.x line, or a 6.x release. Those releases close flaws fixed earlier this year, but Progress has not said they clear the current threat and explicitly cautioned organizations not to treat version checks as permission to restart controllers.
- Treat internet-reachable controllers as incidents: If a controller is reachable from the internet, handle it as a possible incident—preserve logs and start your incident-response process.
- Look for unexpected files: Check for unfamiliar .aspx files in web folders and storage paths that you did not set; a clean-looking server is not proof that it is clean.
Historical precedents inside the ShareFile and Progress timelines
ShareFile has faced similar decisions. In 2023—when the product was still owned by Citrix—attackers exploited an unauthenticated flaw in the Storage Zones Controller tracked as CVE-2023-24489. CISA flagged that flaw as actively exploited, and Citrix cut unpatched controllers off from the ShareFile cloud, mirroring the access block Progress has now imposed. Progress acquired ShareFile in 2024.
Progress itself has previously endured a separate, high-impact incident: the MOVEit 2023 zero-day exploited by the Clop group, an event that affected more than 2,700 organizations. Separately, the Storage Zones Controller had two critical flaws disclosed by watchTowr in April and patched by Progress in March; Progress has not connected the current threat to those flaws, and neither was reported as exploited.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: Expect to keep SZCs offline until Progress provides more detail and to treat internet-exposed controllers as incidents—preserve logs, check for unexpected .aspx files, and proceed under the assumption that a patch may not yet exist.
- Affected enterprises and procurement leaders: Operations that rely on on-prem Storage Zone Controllers must plan for service disruption while ShareFile cloud-only accounts are unaffected; verifying versions (5.12.4+ or 6.x) is necessary but not sufficient to resume operations.
- End users and general staff: Standard cloud-only ShareFile accounts are not affected by this outage; users should expect sharing workflows that depend on on-prem controllers to remain interrupted until Progress issues further guidance.
The central fact remains: Progress has pulled Storage Zone Controllers offline, is working with outside experts, and has said little beyond labeling the threat "credible" and urging caution. Whether this will prove to be a newly discovered, unpatched flaw, stolen credentials, or a problem tied to Progress's infrastructure is not yet disclosed. Until Progress provides the missing technical detail and a safe restart plan, customer administrators must assume the risk is real and follow the shutdown order.




