CRITICAL🇵🇱 Wersja polska

CVE-2026-2699

CVSS 9.8v3.1pub. 2026-04-02upd. 2026-04-21

Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.

🤖 AI Analysis
How it works

An attacker without any authentication can gain access to protected configuration pages of the Storage Zones Controller component. Lack of proper access control (CWE-284) allows bypassing authorization mechanisms and directly accessing protected administrative resources. After gaining access to the configuration panel, the attacker can modify system settings in a way that leads to remote code execution on the server.

Impact

An attacker can gain full control of the server through arbitrary code execution (RCE), and can also modify system configuration, which may result in breaches of confidentiality, integrity, and availability of data stored in the ShareFile environment.

Mitigation & patch

Apply patches available from the vendor in accordance with references — details available at: https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26. Until updates are deployed, it is recommended to restrict network access to the Storage Zones Controller administration panel exclusively to trusted IP addresses.

Who is affected

Progress ShareFile Storage Zones Controller (Customer Managed) — versions indicated in the vendor references (security documentation from February 2026).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Progress Sharefile Storage Zones Controller

    APP
    Progress
    5.0.0 – 5.12.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References

Related vulnerabilities

CVE-2026-2701CRITICAL9.1PL ✓ten sam produkt

RCE w Progress Sharefile Storage Zones Controller — upload złośliwego pliku

CVE-2024-6670CRITICAL9.8⚠ KEVPL ✓ten sam vendor

SQL Injection w Progress WhatsUp Gold — kradzież zaszyfrowanych haseł

CVE-2024-4885CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Progress WhatsUp Gold – nieuwierzytelniony RCE przez path traversal

CVE-2024-1212CRITICAL10.0⚠ KEVPL ✓ten sam vendor

Progress LoadMaster – nieuwierzytelnione RCE przez command injection w interfejsie zarządzania

CVE-2023-40044CRITICAL10.0⚠ KEVten sam vendor

In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deseria...