CVE-2026-2699
Received Received - Intake
Unauthorized Access in ShareFile SZC Enables Remote Code Execution

Publication date: 2026-04-02

Last updated on: 2026-04-21

Assigner: Progress Software Corporation

Description
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-2699
EUVD
EUVD-2026-18218
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
progress sharefile_storage_zones_controller From 5.0.0 (inc) to 5.12.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-698 The web application sends a redirect to another location, but instead of exiting, it executes additional code.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2699 is a critical security vulnerability in Progress ShareFile Storage Zones Controller version 5.x that allows an unauthenticated remote attacker to access restricted configuration pages.

This unauthorized access can lead to changes in system configuration and potentially enable remote code execution, which means the attacker could run arbitrary code on the affected system.

Compliance Impact

The provided information does not specify how CVE-2026-2699 affects compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

The vulnerability can have severe impacts including unauthorized modification of system configurations and the possibility of remote code execution.

  • An attacker could gain control over the system by changing configurations without authentication.
  • Remote code execution could allow the attacker to execute malicious code, potentially leading to data breaches, system compromise, or service disruption.

Because the vulnerability requires no authentication and has a high CVSS score of 9.8, it represents a critical risk to affected environments.

Detection Guidance

This vulnerability can be detected by sending a GET request to the endpoint /ConfigService/Admin.aspx on the ShareFile Storage Zones Controller instance.

If the HTTP response status code is anything other than 403, it indicates probable vulnerability. A 403 status code suggests the instance is probably not vulnerable.

A detection tool is available that automates this check by analyzing the HTTP response status code.

  • Example command using curl: curl -i http://<target-host>/ConfigService/Admin.aspx
  • Check the HTTP response status code from the above command; a code other than 403 indicates potential vulnerability.
Mitigation Strategies

To mitigate this vulnerability, it is strongly advised to upgrade the ShareFile Storage Zones Controller to version 5.12.4 or later.

Alternatively, upgrading to any version in the 6.x series is recommended, as these versions are not affected by this vulnerability.

Unsupported versions should be upgraded to a supported fixed release to ensure security.

Customers with active maintenance and warranty can seek technical support for upgrading.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2699. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart