A single false passed to .NET's Response.Redirect() exposed the admin panel. That one Boolean gave unauthenticated attackers full access to Progress ShareFile's Storage Zones Controller. From there, six steps chain to remote code execution. watchTowr estimates 30,000 instances are exposed on the public internet.
Two CVEs carry the chain. CVE-2026-2699 (CVSS 9.8) is the authentication bypass. CVE-2026-2701 (CVSS 9.1) turns admin access into a webshell.
Progress patched both in v5.12.4 on March 10, 2026. The embargo lifted April 2, and watchTowr published the full chain.
The one parameter
ShareFile's admin page (/ConfigService/Admin.aspx) checks authentication. If the user is not logged in, it calls RedirectAndCompleteRequest(), which wraps .NET's Response.Redirect() with two arguments. The redirect URL, and the Boolean false.
Microsoft's documentation is clear on what that Boolean does. The second parameter controls whether page execution terminates. Set it to false, and the server sends a 302 redirect header but keeps rendering the rest of the page. The admin interface ships in the response body, hidden only by the redirect the browser follows.
Intercept the response. Drop the Location header. The full admin panel renders on screen, and every configuration action executes server-side regardless of what the client does.
watchTowr classifies this as CWE-698, Execution After Redirect. The class is a PHP staple, where developers call a redirect and forget to die(). Finding it in a .NET enterprise product is the part that stings. Progress's own advisory labels CVE-2026-2699 as "Execution After Redirect."
Admin panel to webshell in six steps
With the admin panel open, the attacker runs a chain that exists because of two things. A writable Storage Zone configuration, and an upload endpoint that extracts ZIPs without renaming their contents.
Change the Network Share Location (where ShareFile stores uploaded files) to point at the application's own webroot: C:\inetpub\wwwroot\ShareFile\StorageCenter\documentum. ShareFile checks write permission. It does not restrict the path.
Set a new encryption passphrase on the Zone configuration. The admin panel auto-populates the field from the server, and overwriting it grants the ability to sign subsequent API requests.
Query /ConfigService/api/StroageZoneConfig (the typo lives in the original ShareFile code) to retrieve TempData2. This is the Zone Secret, base64-encoded and AES-encrypted. The attacker decrypts it using the passphrase they just set and a hard-coded salt, p3510060xfZ2s9.
With the Zone Secret, compute valid HMAC-SHA256 signatures for upload requests. Upload authentication is now bypassed.
Upload a ZIP. ShareFile's upload endpoint supports a unzip=true parameter. Regular uploads rename files to random GUIDs with no extension, which defeats webshells. Extracted ZIP contents keep their original filenames.
The attacker ships a .aspx webshell inside a ZIP. It extracts straight into the webroot.
Because ShareFile Storage is commonly used to manage and store sensitive enterprise data, the software is particularly attractive to threat actors with similar platforms having a long history of being targeted. Given the public disclosure of exploit code and sensitive data hosted in these systems, Beazley Security suspects exploitation attempts will begin soon.
— Beazley Security advisory
What this product does
ShareFile is a Citrix product that Progress acquired in 2024. The Storage Zones Controller is its on-premises half. This is the piece that keeps enterprise files on the customer's own infrastructure while the SaaS side handles access and collaboration. Supported backends include local file systems, SMB, AWS S3, and Azure Storage.
The product exists because some organisations cannot put files in someone else's cloud. Legal firms, financial services, healthcare, government contractors. Data sovereignty requirements, regulatory rules, sensitivity classifications that rule out SaaS storage.
Branch 5.x (ASP.NET) is affected. Branch 6.x (.NET Core) is not.
File transfer products keep ending up here
watchTowr opens their writeup with an observation. File transfer products dominate the CISA Known Exploited Vulnerabilities catalog. The receipts are public.
MOVEit Transfer in 2023 handed the Cl0p ransomware gang thousands of organisations through a SQL injection zero-day. That breach became one of the defining supply chain incidents of the decade. Cleo Harmony and VLTrader saw active exploitation in 2024, also tied to ransomware. Fortra GoAnywhere MFT followed in 2025.
ShareFile has its own priors. CVE-2021-22941, an unauthenticated RCE in the same Storage Zones Controller, was added to the CISA KEV catalog. CVE-2020-7473, CVE-2020-8982, and CVE-2020-8983 disclosed access control flaws in the same product line before that.
The pattern is consistent. These products sit on the public internet, hold sensitive data, and serve as the shortest path between an attacker and something worth stealing.
Put a file transfer product on the internet, fill it with enterprise secrets, wait for someone to find the one broken thing. Here the one broken thing was a Boolean that kept the page rendering after a redirect. Thirty thousand servers were running that configuration when watchTowr found it.
Disclosure timeline
| Date | Event |
|---|---|
| February 6, 2026 | watchTowr discloses CVE-2026-2699 to Progress |
| February 13, 2026 | watchTowr discloses CVE-2026-2701 to Progress |
| February 14, 2026 | Progress confirms CVE-2026-2699, identifies CWE-698 |
| February 16, 2026 | watchTowr provides Python PoC chaining both vulnerabilities |
| February 18, 2026 | Progress replicates full chain |
| February 26, 2026 | Progress assigns CVEs, requests embargo until April 2 |
| March 10, 2026 | Progress releases patched version 5.12.4 |
| April 2, 2026 | Embargo lifts. watchTowr publishes research. CVEs published. |
What to do now
Shadowserver Foundation observes 700 exposed instances from its scanning, predominantly in the United States and Europe. Many Storage Zones Controllers run on internal networks and never appear in scans. The real attack surface is larger than either number suggests.
Progress's advisory reports no confirmed exploitation yet. watchTowr's writeup is detailed enough to rebuild the exploit chain. Beazley Security expects attempts imminently, and the window between disclosure and active exploitation of file transfer products keeps shrinking.
Upgrade Storage Zones Controller to v5.12.4 or migrate to branch 6.x immediately. Audit C:\inetpub\wwwroot\ShareFile\StorageCenter\ for unexpected .aspx files. Verify that Network Share Location has not been pointed at webroot directories. Block external access to /ConfigService/. Run the watchTowr Detection Artifact Generator to check for exposure. The tool flags hosts where Admin.aspx returns a 302 status code with more than 10,000 characters in the body, the signature of the EAR flaw.
The vulnerable chain ran for weeks before the patch. Customers on Storage Zones Controller 5.x lived with an unauthenticated RCE path between product acquisition and March 10. The duration is unknown.
Our April 2 vulnerability digest covered this chain in summary. This is the detailed breakdown.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
