"a credible external security threat," Progress Software said it detected on July 10, prompting a four-day suspension of ShareFile Storage Zones Controller that was lifted when the company resumed service on July 14.
Progress restores ShareFile Storage Zones Controller access after four-day suspension
Progress restored customer access to its ShareFile Storage Zones Controller on July 14 after temporarily suspending the service on July 10. ShareFile is Progress’ flagship enterprise file‑sharing service, and Storage Zones Controller provides ShareFile customers with private data storage. The outage followed the company’s detection of what it described as “a credible external security threat.”
The vulnerability: a high‑severity path traversal in Storage Zones Controller 5.x and 6.x
Progress confirmed to Infosecurity that the incident resulted from the exploitation of a high severity path traversal vulnerability affecting Storage Zones Controller versions 5.x and 6.x. The company told customers it had developed and released patched versions; those patched releases are intended to remediate the exploited weakness.
Patched releases: 5.12.5 and 6.0.2 restore operational status once applied
Progress identified the patched builds that contain the fix as Storage Zones Controller 5.12.5 and 6.0.2. The company told Infosecurity, “We developed and released patched versions to customers and once patched, these customers’ Storage Zones Controllers will be operational.” Access to the service was resumed company‑wide on July 14 after the suspension that began July 10.
Disclosure timing: Progress delays CVE publication to allow customers time to patch
Progress has not published a common vulnerabilities and exposures (CVE) identifier for the flaw. The company told BleepingComputer it is withholding CVE publication to give customers time to apply patches before technical details become public and "available to potential threat actors." Progress also told Infosecurity that, “At this time, we have no evidence of unauthorized access to any ShareFile customer account or data, and we have not identified any active threat.”
What this means for ShareFile customers, security teams, and potential threat actors
- ShareFile customers: Applying Storage Zones Controller updates to versions 5.12.5 or 6.0.2 is the step Progress has identified as necessary to return local controllers to operational status.
- Security teams: Progress’ decision to delay CVE publication frames the immediate task as patch verification and deployment; Progress’ public statement of no evidence of unauthorized access sets the current investigative baseline.
- Potential threat actors: Progress explicitly cited the risk of public technical details becoming “available to potential threat actors” as the reason for the CVE delay, making the timing of future disclosure a focal point of risk management.
Progress’ handling of this incident follows a recent record of high‑profile product security events: the company experienced a 2023 breach of its MOVEit Transfer product that was exploited in widespread ransomware attacks, and a critical vulnerability in MOVEit Automation was reported in April 2026 that led to further disruptions. Those prior incidents provide the immediate context for why the timing of patch rollout and CVE publication is being watched closely.
The facts on the table are straightforward: Progress detected exploitation of a path traversal bug, issued patched versions (5.12.5 and 6.0.2), resumed service on July 14, and is delaying CVE publication to prioritize customer patching. Whether that sequencing will satisfy customers and observers who point to prior MOVEit incidents is the question Progress and its customers will now have to answer.
https://www.infosecurity-magazine.com/news/progress-restores-sharefile/




