Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
An attacker without any authentication can gain access to protected configuration pages of the Storage Zones Controller component. Lack of proper access control (CWE-284) allows bypassing authorization mechanisms and directly accessing protected administrative resources. After gaining access to the configuration panel, the attacker can modify system settings in a way that leads to remote code execution on the server.
An attacker can gain full control of the server through arbitrary code execution (RCE), and can also modify system configuration, which may result in breaches of confidentiality, integrity, and availability of data stored in the ShareFile environment.
Apply patches available from the vendor in accordance with references — details available at: https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26. Until updates are deployed, it is recommended to restrict network access to the Storage Zones Controller administration panel exclusively to trusted IP addresses.
Progress ShareFile Storage Zones Controller (Customer Managed) — versions indicated in the vendor references (security documentation from February 2026).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HProgress Sharefile Storage Zones Controller
APPProgress5.0.0 – 5.12.4 (bez)
Related vulnerabilities
RCE w Progress Sharefile Storage Zones Controller — upload złośliwego pliku
SQL Injection w Progress WhatsUp Gold — kradzież zaszyfrowanych haseł
Progress WhatsUp Gold – nieuwierzytelniony RCE przez path traversal
Progress LoadMaster – nieuwierzytelnione RCE przez command injection w interfejsie zarządzania
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deseria...