CVE-2026-2699

CriticalPublic PoC

Published: 02 April 2026

Published

02 April 2026

Modified

21 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2526 96.2th percentile

Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Description

Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly restricts permitted actions without identification or authentication, preventing unauthenticated access to restricted configuration pages.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources, blocking unauthenticated attackers from reaching sensitive configuration functions.

CM-5 Access Restrictions for Change good match

prevent

Restricts access to configuration change capabilities to authorized individuals only, mitigating unauthorized modifications leading to RCE.

Security SummaryAI

CVE-2026-2699 is a critical vulnerability in the Customer Managed ShareFile Storage Zones Controller (SZC), where an unauthenticated attacker can access restricted configuration pages. This improper access control issue, mapped to CWE-284 and CWE-698, enables attackers to modify system configurations and potentially achieve remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severe impact on confidentiality, integrity, and availability.

Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity and lack of prerequisites like privileges or user interaction. Successful exploitation allows modification of sensitive system settings, which could lead to full remote code execution on the affected SZC instance, compromising the entire storage controller environment.

Mitigation details and security advisories are available in the official ShareFile documentation at https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26, along with analysis from WatchTowr Labs on GitHub at https://github.com/watchtowrlabs/watchTowr-vs-Progress-ShareFile-CVE-2026-2699. Security practitioners should consult these resources for patching instructions and workaround guidance.

Details

CWE(s): CWE-284 CWE-698 NVD-CWE-noinfo

Affected Products

progress

sharefile storage zones controller

5.0.0 — 5.12.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote access to restricted configuration pages enabling config changes and RCE directly facilitates T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26
Vendor Advisory · security@progress.com
https://github.com/watchtowrlabs/watchTowr-vs-Progress-ShareFile-CVE-2026-2699
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0