CVE-2026-2699 PUBLISHED

EAR vulnerability in Progress ShareFile Storage Zones Controller (SZC)

Assigner: ProgressSoftware
Reserved: 18.02.2026 Published: 02.04.2026 Updated: 02.04.2026

Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Progress
Product	ShareFile Storage Zones Controller
Versions	Default: unaffected affected from 0 to 5.12.3 (incl.)

Workarounds

Harden the Storage Zones Controller access using IIS or use a firewall to block network access to the Storage Zones Controller administration pages from untrusted sources.

Credits

Sonny of watchTowr finder

References

https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26

Problem Types

CWE-698: Execution After Redirect (EAR) CWE
CWE-284: Improper Access Control CWE

Impacts

CAPEC-115 Authentication Bypass