Progress ShareFile zero-day forced emergency server shutdowns; patch is out

A path traversal flaw in Storage Zone Controllers let admin users read and write files they shouldn't. Progress says no customer breach has been found.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial image, 16:9, full frame edge to edge
Share

Key points

  • Progress Software confirmed on the week of the disclosure that a high-severity zero-day, meaning a flaw the vendor had not previously patched, is behind the emergency shutdown of ShareFile Storage Zone Controllers.
  • The bug is a path traversal vulnerability affecting all 5.x and 6.x versions of ShareFile Storage Zone Controller.
  • Progress has released fixed versions 5.12.5 and 6.0.2 and told customers to install them before bringing servers back online.
  • A CVE identifier has been reserved and will be published in roughly two weeks.
  • Progress says it has found no evidence that any customer account or data was accessed.

Progress Software has confirmed what many of its customers suspected last week: a serious, previously unknown flaw is why they were told to yank their file-sharing servers offline in a hurry.

The product involved is ShareFile Storage Zone Controller. It is a piece of software companies run on their own Windows servers so they can keep sensitive files in-house while still using ShareFile's cloud service for logins and sharing. Think of it as the on-site vault behind a cloud front door.

Last week Progress told customers to shut those servers down immediately, citing a "credible external security threat." It also cut off access to any ShareFile account that used a Storage Zone Controller while it investigated.

The company has now explained what it found. The bug is a path traversal flaw, which is a class of weakness that lets an attacker trick software into reading or writing files outside the folders it is supposed to touch.

In Progress's own words, seen in a customer email first reported by BleepingComputer, "an authenticated administrative user can read arbitrary files accessible to the application's service account, write threat actor-controlled content to arbitrary directories or enumerate the server filesystem layout."

In plain English: someone with an admin login could pull files off the server, drop malicious files onto it, or map out its contents. That is a valuable capability for extortion crews, because Storage Zone Controllers hold the actual documents customers upload.

Were any customers actually breached?

Progress says no, at least not that it can see. "Currently, we have no indication of unauthorized access to any ShareFile customer account or data, and we have not identified any active threat," the company told customers.

That is a careful statement. It means Progress has not found evidence of intrusions, not that intrusions are impossible. The company has not said whether the flaw was found internally or reported by an outside researcher, and it has not explained why the CVE identifier will only be published in about two weeks.

The capability described here (read files, write files, list the filesystem) is exactly what data-theft gangs look for. Groups like Cl0p have built entire campaigns around Progress file-transfer products before, most famously the 2023 MOVEit Transfer attacks that hit hundreds of organisations. That is capability, not confirmed intent here. No attribution has been offered by Progress or by third-party researchers as of publication.

What should ShareFile customers do now?

Install the fix. Progress has published ShareFile Storage Zone Controller 5.12.5 and 6.0.2. Only bring servers back online after the update is in place.

Organisations should also check logs from before the shutdown for unusual admin activity, unexpected file reads, or files appearing in odd directories. Because the flaw requires an authenticated admin account, any sign that admin credentials were reused, phished, or shared with third parties is worth chasing down.

End users of ShareFile, the staff who upload and download documents, do not need to take action themselves. Their access was already suspended during the incident and will be restored by their IT teams once servers are patched.

We will update this story if Progress releases further technical detail or the reserved CVE is published.

© 2026 Threat Vectr