CVE-2026-2701 PUBLISHED

RCE vulnerability in Progress ShareFile Storage Zones Controller (SZC)

Assigner: ProgressSoftware
Reserved: 18.02.2026 Published: 02.04.2026 Updated: 02.04.2026

Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Product Status

Vendor Progress
Product ShareFile Storage Zones Controller
Versions Default: unaffected
  • affected from 0 to 5.12.3 (incl.)

Workarounds

Reset the secret and password using custom tool provided by ShareFile

Credits

  • Piotr Bazydlo of watchTowr finder

References

Problem Types

  • CWE-434: Unrestricted Upload of File with Dangerous Type CWE
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE
  • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE

Impacts

  • This vulnerability allows an authenticated user to upload a malicious file to the server and execute it, potentially leading to remote code execution.