A critical vulnerability identified as CVE-2026-2699 has been discovered in the Progress ShareFile Storage Zones Controller, posing a significant risk to organizations using this platform. With a CVSS score of 9.8, this flaw allows unauthenticated attackers to access restricted configuration pages, potentially leading to unauthorized changes in system configuration and remote code execution.
The vulnerability, published on April 2, 2026, is attributed to improper access control (CWE-284) and incorrect behavior order (CWE-698). These weaknesses enable attackers to bypass authentication mechanisms and manipulate system settings, which could compromise the integrity and security of the affected systems.
Two proof-of-concept exploits have already been made available, increasing the urgency for organizations to address this issue. The existence of these PoCs suggests that attackers could quickly develop and deploy real-world exploits, putting unpatched systems at immediate risk.
Organizations using the ShareFile Storage Zones Controller are advised to apply patches or mitigations provided by Progress as soon as possible to prevent potential exploitation. Given the critical nature of this vulnerability, swift action is essential to safeguard sensitive data and maintain system integrity.
CSURFACE