You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701)

WatchTowr Labs discovered and chained two vulnerabilities in Progress ShareFile's Storage Zone Controller (branch 5.x) to achieve pre-authenticated remote code execution. CVE-2026-2699 is an authentication bypass caused by CWE-698 (Execution After Redirect) — the .NET Redirect() call uses a 'false' boolean flag, meaning page execution continues after the 302 redirect, exposing the admin panel without credentials. CVE-2026-2701 is a post-auth RCE: an attacker can reconfigure the Network Share Location to point to the IIS webroot, then upload a ZIP containing an ASPX webshell using the unzip=true parameter, which extracts files without renaming or stripping extensions. The chain requires leaking TempData2 via a signed API call, decrypting the Zone Secret using a hardcoded salt, and computing an HMAC for the upload request. Approximately 30,000 instances are internet-facing. The vulnerabilities were patched in version 5.12.4 released March 10, 2026.