CVE-2026-2699
Received Received - Intake

Unauthorized Access in ShareFile SZC Enables Remote Code Execution

Vulnerability report for CVE-2026-2699, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-02

Last updated on: 2026-04-21

Assigner: Progress Software Corporation

Description

Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-02
Last Modified
2026-04-21
Generated
2026-07-06
AI Q&A
2026-04-02
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
progress sharefile_storage_zones_controller From 5.0.0 (inc) to 5.12.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-698 The web application sends a redirect to another location, but instead of exiting, it executes additional code.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify how CVE-2026-2699 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-2699 is a critical security vulnerability in Progress ShareFile Storage Zones Controller version 5.x that allows an unauthenticated remote attacker to access restricted configuration pages.

This unauthorized access can lead to changes in system configuration and potentially enable remote code execution, which means the attacker could run arbitrary code on the affected system.

Impact Analysis

The vulnerability can have severe impacts including unauthorized modification of system configurations and the possibility of remote code execution.

  • An attacker could gain control over the system by changing configurations without authentication.
  • Remote code execution could allow the attacker to execute malicious code, potentially leading to data breaches, system compromise, or service disruption.

Because the vulnerability requires no authentication and has a high CVSS score of 9.8, it represents a critical risk to affected environments.

Detection Guidance

This vulnerability can be detected by sending a GET request to the endpoint /ConfigService/Admin.aspx on the ShareFile Storage Zones Controller instance.

If the HTTP response status code is anything other than 403, it indicates probable vulnerability. A 403 status code suggests the instance is probably not vulnerable.

A detection tool is available that automates this check by analyzing the HTTP response status code.

  • Example command using curl: curl -i http://<target-host>/ConfigService/Admin.aspx
  • Check the HTTP response status code from the above command; a code other than 403 indicates potential vulnerability.
Mitigation Strategies

To mitigate this vulnerability, it is strongly advised to upgrade the ShareFile Storage Zones Controller to version 5.12.4 or later.

Alternatively, upgrading to any version in the 6.x series is recommended, as these versions are not affected by this vulnerability.

Unsupported versions should be upgraded to a supported fixed release to ensure security.

Customers with active maintenance and warranty can seek technical support for upgrading.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2699. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart