Progress tells ShareFile customers to pull the plug amid 'credible' threat

The maker of a widely used file-sharing tool is emailing on-premises customers to shut down their servers now, while it investigates what it calls a credible external threat.

ThreatVectr Newsdesk· 3 min read
Photoreal editorial image, 16:9, full-frame edge to edge, of a dim server room with one rack unit powered off, its status lights dark while surrounding units gl
Share

Key points

  • Progress Software emailed ShareFile customers on the on-premises version of the product to immediately shut down their Storage Zone Controller servers.
  • The company describes the reason as a "credible external security threat" but has not yet named a vulnerability or attacker.
  • Only self-hosted deployments using Storage Zone Controllers are affected; the fully cloud-hosted ShareFile service is not part of the warning.
  • Progress is the same vendor behind the MOVEit file-transfer tool, which was mass-exploited by the Clop ransomware crew in 2023.
  • Customers are told to keep servers offline until Progress issues further guidance.

Progress Software is telling some of its ShareFile customers to switch off their servers right now.

ShareFile is a secure file-sharing product used by businesses to send sensitive documents to clients and staff. Most customers use the cloud version that Progress runs itself. A smaller group runs it on their own hardware using a component called a Storage Zone Controller, which is the piece that actually stores the files on the customer's network.

It is that self-hosted group Progress is emailing.

The message, first reported by BleepingComputer, calls the situation a "credible external security threat" and asks customers to take their Storage Zone Controller servers offline immediately. Progress has not publicly named a specific flaw, has not issued a CVE identifier, and has not said whether anyone has already been broken into.

What does this actually mean for customers?

If your company runs ShareFile on its own servers, an administrator needs to shut those servers down today and wait for Progress to say more. Everyday users of the cloud version of ShareFile do not need to do anything: Progress has not flagged the hosted service.

That is roughly the shape of the advisory so far. Short, urgent, and thin on technical detail.

Why the alarm bells are loud

Progress is the same company that makes MOVEit Transfer, another file-moving tool. In 2023, a flaw in MOVEit was used by the Clop ransomware group (tracked as TA505 by Mandiant, and overlapping with the cluster Microsoft calls Lace Tempest) to steal data from hundreds of organisations. The blast radius eventually touched thousands of downstream companies, from payroll providers to government agencies.

That memory is doing a lot of work here. When Progress tells file-transfer customers to pull the plug, defenders listen.

It is worth being careful, though. Nothing in the current email points to a specific group. There is no confirmed attribution, no named malware family, and no public indicators of compromise as of writing. Capability and intent are separate questions from who, and the who is not established. Treat any early social media claims with skepticism.

What defenders should do now

If you run ShareFile Storage Zone Controllers, shut them down and confirm you have received the Progress notification. Preserve logs before you do anything destructive: web server logs, controller logs, and any endpoint telemetry from the host. Those will matter if forensics is needed later.

Check outbound traffic from the controller host for the past 30 days. File-transfer boxes are attractive because they are trusted to move large volumes of data outward, which makes exfiltration look like normal business.

Watch the Progress advisory page for updates and a formal CVE. If a patch appears, apply it in a maintenance window with a snapshot, not in place.

The bigger pattern

Managed file transfer keeps landing on the target list. GoAnywhere MFT, MOVEit, Cleo, Accellion before them. The pattern is consistent: internet-facing appliances that hold sensitive documents, run complex code, and sit outside the usual endpoint monitoring. Nation-state crews and financially motivated ransomware groups both like them for the same reason. The files are already sorted for you.

More detail on the ShareFile issue is expected from Progress in the coming days.

© 2026 Threat Vectr