CVE-2026-2699 · Customer Managed ShareFile Storage Zones Controller (SZC)

01 · The Real Story

Like finding the admin side door unlocked on an old file-transfer gateway that only some customers still run

CVE-2026-2699 is an authentication bypass in customer-managed ShareFile Storage Zones Controller (SZC) that lets an unauthenticated remote attacker reach restricted configuration pages. The affected range is ShareFile Storage Zones Controller 5.0.0 through 5.12.3; 5.12.4 fixes it, and the 6.x branch is not affected. This is the on-prem controller product, not ShareFile SaaS itself.

The vendor's CRITICAL 9.8 is fair for the *chain* story but too aggressive for this CVE *by itself*. Real-world risk drops because the exposed population is narrower than a generic internet RCE: it only hits customer-managed 5.x, many enterprises do not expose SZC broadly, and the public watchTowr research shows the headline pre-auth RCE outcome comes from chaining CVE-2026-2699 with CVE-2026-2701, not from CVE-2026-2699 alone.

"Dangerous edge auth bypass, but the vendor's 9.8 overstates the standalone bug more than the real-world blast radius"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find an exposed SZC 5.x edge

The attacker first identifies a customer-managed ShareFile Storage Zones Controller reachable over HTTPS. Public guidance from Progress shows standard zones need a publicly accessible address on port 443, while runZero published product queries defenders can use to inventory the same footprint. Typical recon uses passive discovery plus fingerprinting of ShareFile/IIS characteristics.

Conditions required:

Target runs customer-managed ShareFile Storage Zones Controller 5.x
The controller is reachable from the attacker network, commonly the internet
The asset was not already upgraded to 5.12.4 or 6.x

Where this breaks in practice:

This is not ShareFile SaaS and not the 6.x branch
Many enterprises front SZC behind a DMZ proxy or restrict inbound paths
The product is niche compared with mass-market edge software, shrinking the candidate set

Detection/coverage: Asset inventory products can find it; runZero published a product query for ShareFile SZC. External attack-surface scanners should be able to flag internet-facing hosts, but generic vuln scanners may lag product fingerprinting.

STEP 02

Bypass auth to config pages with watchTowr's detection path

watchTowr published a Detection Artifact Generator that sends a GET request to /ConfigService/Admin.aspx and treats anything other than the expected deny as a sign of exposure. That is the practical signal for CVE-2026-2699: the attacker reaches configuration functionality that should require authentication. At this stage the bug is an access-control failure, not yet guaranteed code execution.

Conditions required:

Unauthenticated network access to the SZC web app
Vulnerable 5.x build
Admin path is directly reachable or forwarded by the fronting proxy

Where this breaks in practice:

A properly implemented DMZ proxy model can reduce arbitrary inbound access
Reverse proxies or WAF rules that block direct access to /ConfigService/Admin.aspx can break the primitive
IIS hardening and IP allowlists can make the path unreachable from the internet

Detection/coverage: High-signal web logs: requests to /ConfigService/Admin.aspx, especially from non-admin source IPs, external addresses, or scanners. The public watchTowr GitHub tool is detection-focused and can be adapted by defenders for validation.

STEP 03

Abuse configuration access to take over the zone or prepare the RCE chain

Once inside restricted configuration pages, an attacker can change storage-related settings and controller behavior. Public research ties this access directly to zone takeover potential and, when paired with CVE-2026-2701, to pre-auth RCE. In other words, CVE-2026-2699 is the door-opener that turns an admin-only function into an attacker-controlled staging point.

Conditions required:

Successful auth bypass from step 2
Target uses vulnerable workflows that trust configuration changes
For full public RCE chain, CVE-2026-2701 is also present

Where this breaks in practice:

Standalone CVE-2026-2699 does not automatically equal one-request shell
Chaining to public full RCE depends on a second flaw or follow-on abuse path
Operational impact varies with how the zone is configured and what backends it can reach

Detection/coverage: Look for configuration changes on the controller, unexpected edits to storage settings, and unusual admin-page access without a corresponding interactive admin session. File integrity monitoring and ShareFile/IIS admin audit logs help here.

STEP 04

Reach data stores and pivot from the controller

A compromised Storage Zones Controller is attractive because it sits between ShareFile users and enterprise data stores. Progress documentation shows SZC commonly brokers access to local storage, SMB-backed shares, or other private storage, so controller compromise can lead to data exposure, storage redirection, or deeper lateral movement. If the attacker completes the 2699+2701 chain, Windows host compromise becomes the pivot point.

Conditions required:

Controller has access to file shares, storage backends, or adjacent internal services
Service account or Network Service rights are sufficient to reach stored content
Outbound network paths from the controller are not tightly segmented

Where this breaks in practice:

Blast radius depends heavily on how much trust the SZC host has into storage and identity tiers
Least-privilege service accounts and segmentation can contain follow-on abuse
EDR and Windows telemetry are more likely to catch the post-exploitation phase than the initial auth bypass

Detection/coverage: Monitor SMB access spikes, unusual outbound connections from the SZC Windows host, child process execution from IIS worker processes, and drift in storage endpoint configuration. EDR should light up if the attack reaches code execution.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	Reviewed sources do not show confirmed in-the-wild exploitation. Progress said on 2026-04-06 it had not received reports of exploitation; CISA KEV does not list this CVE in the catalog reviewed in this session.
PoC / tooling	Public tooling exists. watchTowr published a GitHub Detection Artifact Generator for CVE-2026-2699 and a technical write-up describing the CVE-2026-2699 + CVE-2026-2701 pre-auth RCE chain.
EPSS	User-provided EPSS is 0.37379, which is materially high for prioritization. Inference: that likely places it in the upper EPSS percentiles, but I did not independently confirm the exact percentile from FIRST data in this session.
KEV status	Not listed in CISA's Known Exploited Vulnerabilities catalog as reviewed here. That removes the strongest possible urgency amplifier.
CVSS vector reality check	Vendor vector is `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`. That vector assumes direct unauthenticated network reachability and treats impact like full compromise; in practice, the public RCE story relies on a second CVE, so the standalone record is somewhat overstated.
Affected versions	NVD shows 5.0.0 up to but excluding 5.12.4. watchTowr and runZero describe the vulnerable population as 5.x through 5.12.3.
Fixed versions	Progress says upgrade 5.x to 5.12.4 or move to any 6.x version, because 6.x is not impacted.
Exposure population	The reachable population is narrower than the CVSS suggests because this is only customer-managed SZC, not the hosted service. Progress documentation says standard zones typically need a publicly accessible controller on 443, but it also documents a DMZ proxy mode that can constrain direct inbound access.
Scanning / detection coverage	runZero published an inventory query for impacted assets, and watchTowr published a direct detector hitting `/ConfigService/Admin.aspx`. I did not find reliable public GreyNoise/Shodan/Censys/FOFA counts in primary sources reviewed here, so don't assume mass internet prevalence from the CVSS alone.
Disclosure / researcher	Public disclosure date is 2026-04-02. The vulnerability chain was identified and disclosed by watchTowr Labs; the watchTowr resource page credits Grahame Turner and the GitHub tool credits Sonny and Piotr.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to HIGH (8.4/10)

The decisive downgrade factor is that standalone CVE-2026-2699 is an unauthenticated config-access bug, while the public pre-auth RCE story depends on chaining it with CVE-2026-2701. It is still a serious edge exposure because affected SZC hosts are often internet-reachable and sit in front of sensitive enterprise storage, but the exposed population is much narrower than a generic 9.8 internet RCE.

HIGH Affected version range and fixed version

HIGH Standalone-versus-chain distinction with CVE-2026-2701

MEDIUM Real-world exposure population across enterprises

Why this verdict

Baseline starts at 9.8, then drops for product scope: this only affects customer-managed ShareFile SZC 5.x. ShareFile SaaS and all 6.x deployments are outside the blast radius.
Exposure is edge-only, not universal: exploitation requires network reachability to the controller's admin path. Progress documents internet-facing standard zones, but also documents DMZ proxy patterns that materially reduce direct attacker reach.
This CVE is the opener, not the full finish: the public watchTowr research ties headline pre-auth RCE to CVE-2026-2699 + CVE-2026-2701 together. Scoring CVE-2026-2699 alone like a self-contained one-shot RCE overstates the practical impact.

Why not higher?

I am not calling this CRITICAL because the most damaging public outcome requires a chain, not CVE-2026-2699 in isolation. On top of that, there is no KEV listing and no confirmed exploitation evidence in the reviewed primary sources, which matters for a population-limited on-prem product.

Why not lower?

I am not dropping this to MEDIUM because the bug is still unauthenticated, remote, and edge-relevant on a Windows server that brokers access to enterprise storage. If your org exposes customer-managed SZC externally, this is exactly the sort of foothold that turns into data theft or full host compromise once combined with adjacent weakness or misconfiguration.

05 · Compensating Control

What to do — in priority order.

Restrict admin paths now — Block or allowlist direct access to /ConfigService/Admin.aspx and related configuration endpoints so only trusted management sources or the approved ShareFile path can reach them. For a HIGH verdict, deploy this within 30 days unless your instance is already internet-facing and confirmed vulnerable, in which case do it as the first containment step.
Put exposed SZC behind the documented DMZ / proxy model — Progress documents a DMZ proxy pattern specifically to ensure only approved traffic reaches storage zones controllers. If you cannot patch immediately, move public-facing reachability away from the controller itself and enforce the proxy path within 30 days.
Hunt for unauthorized config access — Alert on web requests to /ConfigService/Admin.aspx, especially from external IPs, scanners, or addresses outside admin networks. Pair IIS logs with config-drift monitoring so you can spot the auth-bypass stage before it becomes zone takeover or a chained RCE.
Constrain the controller's downstream trust — Reduce what the SZC host and service context can reach: SMB shares, storage backends, and outbound internet paths. This will not fix the bypass, but it limits blast radius if the attacker gets config access; make these least-privilege changes within 30 days.

What doesn't work

MFA on the normal admin login does not stop an authentication bypass to config pages.
EDR alone does not prevent the initial exposure; it may catch post-exploitation, but CVE-2026-2699 starts as a web-layer access control failure.
Rotating TLS certificates or changing the public hostname does not remove the vulnerable code path.

06 · Verification

Crowdsourced verification payload.

Run this on the Windows host running ShareFile Storage Zones Controller, ideally from an elevated PowerShell prompt so registry access is reliable. Save as check-sharefile-cve-2026-2699.ps1 and run powershell.exe -ExecutionPolicy Bypass -File .\check-sharefile-cve-2026-2699.ps1; it checks installed product versions from standard uninstall registry keys and returns VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# Requires: Windows PowerShell 5+ or PowerShell 7+

# Purpose: Detect likely exposure to CVE-2026-2699 on ShareFile Storage Zones Controller

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Normalize-Version {
    param([string]$Version)
    if ([string]::IsNullOrWhiteSpace($Version)) { return $null }
    $clean = ($Version -replace '[^0-9\.]', '').Trim('.')
    if ([string]::IsNullOrWhiteSpace($clean)) { return $null }
    $parts = $clean.Split('.') | Where-Object { $_ -ne '' }
    while ($parts.Count -lt 4) { $parts += '0' }
    if ($parts.Count -gt 4) { $parts = $parts[0..3] }
    try { return [version]($parts -join '.') } catch { return $null }
}

function Get-ShareFileProducts {
    $paths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )

    $items = foreach ($path in $paths) {
        Get-ItemProperty -Path $path -ErrorAction SilentlyContinue | Where-Object {
            ($_.DisplayName -match 'ShareFile') -or
            ($_.DisplayName -match 'Storage\s*Zones\s*Controller') -or
            ($_.DisplayName -match 'StorageZones\s*Controller')
        } | Select-Object DisplayName, DisplayVersion, Publisher, InstallLocation
    }

    return $items
}

$fixedV5 = Normalize-Version '5.12.4'
$products = Get-ShareFileProducts

if (-not $products -or $products.Count -eq 0) {
    Write-Output 'UNKNOWN - ShareFile Storage Zones Controller not found in uninstall registry keys'
    exit 2
}

$best = $null
foreach ($p in $products) {
    $v = Normalize-Version $p.DisplayVersion
    if ($v) {
        if (-not $best -or $v -gt $best.Version) {
            $best = [pscustomobject]@{
                Name = $p.DisplayName
                RawVersion = $p.DisplayVersion
                Version = $v
                Publisher = $p.Publisher
                InstallLocation = $p.InstallLocation
            }
        }
    }
}

if (-not $best) {
    Write-Output 'UNKNOWN - Matching ShareFile product found, but version could not be parsed'
    exit 2
}

# Logic based on vendor advisory:

# - 5.x versions prior to 5.12.4 are affected

# - 6.x versions are not affected

if ($best.Version.Major -ge 6) {
    Write-Output ("PATCHED - {0} version {1} (6.x branch not affected)" -f $best.Name, $best.RawVersion)
    exit 0
}
elseif ($best.Version.Major -eq 5) {
    if ($best.Version -lt $fixedV5) {
        Write-Output ("VULNERABLE - {0} version {1} is older than 5.12.4" -f $best.Name, $best.RawVersion)
        exit 1
    }
    else {
        Write-Output ("PATCHED - {0} version {1} is at or above 5.12.4" -f $best.Name, $best.RawVersion)
        exit 0
    }
}
else {
    Write-Output ("UNKNOWN - Found {0} version {1}; version family not covered by this detector" -f $best.Name, $best.RawVersion)
    exit 2
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as an edge-app inventory and exposure problem first: identify every customer-managed ShareFile SZC 5.x host, verify which ones are internet-facing, and immediately restrict direct access to configuration endpoints while you line up the upgrade. For a HIGH verdict, the noisgate mitigation SLA is within 30 days for exposure controls like proxying, allowlisting, or admin-path blocking, and the noisgate remediation SLA is within 180 days to move all affected hosts to 5.12.4 or a 6.x release; internet-facing systems should be at the front of that queue.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.