CVE-2026-2699 & CVE-2026-2701 - Critical Vulnerabilities Found

The Flaw

On March 10, 2026, Progress ShareFile disclosed two critical vulnerabilities in their Storage Zones Controller (SZC) 5.x. These vulnerabilities are tracked as CVE-2026-2699 and CVE-2026-2701. The first vulnerability, CVE-2026-2699, involves an authentication bypass due to improper handling of redirects and sessions in the /ConfigService/Admin.aspx endpoint. This flaw enables a remote unauthenticated attacker to gain access to restricted administrative functions.

What's at Risk

The implications of these vulnerabilities are severe. An attacker exploiting these flaws could potentially manipulate the system, access sensitive information, or perform unauthorized actions within the ShareFile environment. Organizations using the affected version of the Storage Zones Controller are at risk of significant data breaches and operational disruptions.

Patch Status

Progress ShareFile has released patches addressing these vulnerabilities. It is crucial for users to apply these updates immediately to mitigate the risks associated with these flaws. The patches are designed to correct the improper session handling and secure the affected endpoints.

Immediate Actions

Organizations should take the following steps to protect themselves:

• Update to the latest version of Progress ShareFile Storage Zones Controller.
• Review access logs for any unauthorized attempts to access administrative functions.
• Implement additional security measures, such as multi-factor authentication, to enhance protection against unauthorized access.

By addressing these vulnerabilities swiftly, organizations can safeguard their data and maintain the integrity of their systems.