Progress Software delivered a blunt message to certain ShareFile customers this week. Shut down your Windows servers running Storage Zone Controllers. Now.
The directive surfaced July 10 when one recipient shared the company email on Reddit’s r/sysadmin forum. Progress soon updated its status page. Storage Zone Controller customers showed as “not operational.” The firm called the matter an active investigation tied to a “credible external security threat.”
Short sentences capture the shock. Take everything offline. No patch. No timeline for return. Just stop.
Progress confirmed details to The Hacker News. It temporarily disabled access to affected accounts “out of an abundance of caution” while consulting internal and external security experts. The company added it saw “no indication of unauthorized access to any ShareFile accounts or data.” Yet it offered no specifics on the threat itself or the actors involved. Silence on that front leaves administrators guessing.
Storage Zone Controllers occupy a distinct spot in the ShareFile architecture. Organizations deploy them on their own premises. Files remain behind the corporate firewall. The cloud service handles sharing, permissions and collaboration. But the controller sits at the network edge, reachable from the internet. That placement delivers convenience. It also creates exposure.
Progress has not linked the current alert to any known issue. Still, the product’s track record invites scrutiny. In 2023, when ShareFile belonged to Citrix, attackers exploited CVE-2023-24489. The flaw sat in the Storage Zones Controller. It allowed unauthenticated access. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog. Citrix responded by blocking unpatched controllers from the ShareFile cloud. The same access restriction appears in play today.
Progress acquired ShareFile in 2024. It inherited both the customer base and the history of scrutiny. The firm itself faced fallout from the 2023 MOVEit Transfer attacks. The Clop ransomware group used a zero-day in that file-transfer product to hit more than 2,700 organizations. Patterns repeat. On-premises file gateways draw determined adversaries.
Earlier this year the story continued. Researchers at watchTowr Labs uncovered two critical flaws in the Storage Zones Controller 5.x line. They detailed the chain in a report published April 2. The first bug, tracked as CVE-2026-2699, let unauthenticated attackers reach restricted configuration pages. The second, CVE-2026-2701, enabled arbitrary file uploads that could place malicious ASPX webshells in the web root. Chained together they delivered pre-authentication remote code execution. Progress fixed both in version 5.12.4, released quietly in March. It also recommended migration to the 6.x branch, which escaped impact.
WatchTowr Labs demonstrated the attack in detail. An unauthenticated remote actor could bypass authentication on the Admin.aspx page, alter zone settings, upload a crafted archive and achieve full server control. The proof-of-concept left little to the imagination. Security bulletins from Progress and coverage in Cybersecurity Dive urged immediate upgrades. At the time Progress reported no known exploitation.
That was spring. Summer brings fresh alarm. A new article from CyberSecurity News, published within the last 12 hours, notes the shutdown order and speculates the threat could tie to renewed exploitation of the Storage Zone Controller architecture or an entirely new zero-day. The piece highlights the product’s repeated exposure. It advises isolating internet-facing instances and monitoring for further guidance. No CVE has surfaced for whatever Progress faces now.
Conversations on X reflect the same uncertainty. One post from security account @DarkWebInformer described the alert as a response to a “credible external security threat” and noted cloud access had been blocked pending investigation. Another user tagged ShareFile directly, demanding a public statement. Sysadmins on Reddit swapped theories. Some suggested the move pointed to an actively exploited unauthenticated remote code execution flaw. Others pointed back to the March patches and asked why more detail had not arrived. One administrator reported shutting systems down immediately despite believing they ran current versions. Frustration mounted as support queues filled.
Progress has walked this path before. Each episode follows a familiar script. Discovery. Disclosure. Patch. Then quiet until the next surprise. This time the company chose complete disconnection over guidance to patch. That decision carries weight. It implies either no fix exists yet or the risk cannot be contained by code changes alone. Perhaps stolen credentials, compromised signing keys or a supply-chain vector sits at the center. The firm has not said.
Administrators face practical questions. First, confirm the version. Anything below 5.12.4 on the 5.x branch or outside the 6.x line should have been updated months ago. Yet the shutdown order applies regardless. Second, treat exposed controllers as compromised until proven otherwise. Look for unfamiliar ASPX files in web directories and storage paths. Preserve logs. Launch incident response. Third, prepare for extended downtime. Progress has given no restoration timeline.
The broader file-transfer sector watches closely. Organizations moved mass quantities of sensitive data through these gateways. Many still do. A successful breach here can yield intellectual property, customer records or regulated health information. Attackers know the economics. One foothold can produce high returns. History shows ransomware groups and data-extortion crews target these systems first.
Progress maintains it has seen no unauthorized access to accounts or cloud data. That assurance matters. But it stops short of addressing the controllers themselves. Local server logs, configuration changes or outbound connections could tell a different story. Without transparency, defenders must assume the worst.
And the clock ticks. Every hour a Storage Zone Controller stays offline disrupts collaboration, file syncing and business processes. Yet turning systems back on without clarity invites disaster. The tension sits at the heart of the current episode.
Recent coverage from Field Effect reinforces the point. Published hours ago, the analysis notes no CVE links to the July incident and no confirmation of compromise. It places the alert in context of the April vulnerabilities while stressing the need for isolation. Similar posts on X echo the call for more detail from Progress.
ShareFile once carried the Citrix brand. Its transition to Progress did not erase old weaknesses. The on-premises controller remains a complex piece of software built on IIS and ASP.NET. Configuration pages, file upload handlers and redirect logic all introduce surfaces for error. When those errors surface publicly, exploitation follows quickly.
Security teams should not wait for the next bulletin. Review exposure. Audit logs from the past 30 days. Segment any remaining controllers. Test failover to fully cloud-based ShareFile accounts if possible. And prepare communication for internal stakeholders who will ask why file sharing suddenly stopped.
The company promises updates as its investigation advances. Until then the order stands. Power down. Stay offline. Watch for guidance. In an industry that prizes rapid response, this episode offers a reminder. Sometimes the safest action is the most disruptive one.
But administrators deserve answers. What exactly triggered the alert? Was it exploitation of the earlier flaws? A fresh vulnerability? Something inside Progress’s own infrastructure? The absence of those details fuels speculation and complicates defense. Progress has the platform. It also carries the responsibility to communicate with clarity when threats appear.


WebProNews is an iEntry Publication