watchTowr Labs

WatchTowr Labs discovered and chained two vulnerabilities in Progress ShareFile's Storage Zone Controller (branch 5.x) to achieve pre-authenticated remote code execution. CVE-2026-2699 is an authentication bypass caused by CWE-698 (Execution After Redirect) — the .NET Redirect() call uses a 'false' boolean flag, meaning page execution continues after the 302 redirect, exposing the admin panel without credentials. CVE-2026-2701 is a post-auth RCE: an attacker can reconfigure the Network Share Location to point to the IIS webroot, then upload a ZIP containing an ASPX webshell using the unzip=true parameter, which extracts files without renaming or stripping extensions. The chain requires leaking TempData2 via a signed API call, decrypting the Zone Secret using a hardcoded salt, and computing an HMAC for the upload request. Approximately 30,000 instances are internet-facing. The vulnerabilities were patched in version 5.12.4 released March 10, 2026.

You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701)

Dissecting The ShareFile Storage Zone Controller

There’s No Authentication Bypass Here? WT-2026-0006 (CVE-2026-2699) - Authentication Bypass Vulnerability

WT-2026-0007 (CVE-2026-2701) - Post-Auth Remote Code Execution

Gain early access to our research, and understand your exposure, with the watchTowr Platform