You’re Not Supposed To ShareFile With Everyone (Progress ShareFile Pre-Auth RCE Chain CVE-2026-2699 & CVE-2026-2701)
Security researchers discovered a pre-authenticated Remote Code Execution (RCE) chain in Progress ShareFile Storage Zone Controller. By chaining an Execution After Redirect (EAR) authentication bypass (CVE-2026-2699) with an arbitrary file upload vulnerability (CVE-2026-2701), attackers can reconfigure the storage repository to the webroot and extract an ASPX webshell, achieving full system compromise.
Authors: Sonny
Source:Watchtowr
- filenameC:\inetpub\wwwroot\ShareFile\StorageCenter\documentumExample webroot path targeted for webshell deployment via Network Share Location modification.
- url/ConfigService/Admin.aspxEndpoint vulnerable to Execution After Redirect (EAR) authentication bypass.
- url/ConfigService/api/StroageZoneConfigAPI endpoint abused to leak TempData2, which contains the encrypted Zone Secret.
- url/upload.aspxEndpoint abused to upload and extract ZIP files containing webshells.
Detection / HunterGoogle
What Happened
Security researchers found two critical flaws in Progress ShareFile, a system companies use to store and share files securely. The first flaw allows an attacker to bypass the login screen and access the administrator settings. The second flaw lets the attacker change where files are saved and upload a malicious program to take over the server. This means an outside attacker could gain full control of the file sharing system without needing a password. Organizations using ShareFile Storage Zone Controller should update to version 5.12.4 immediately to protect their data.
Key Takeaways
- Progress ShareFile Storage Zone Controller is vulnerable to a pre-auth RCE chain (CVE-2026-2699 and CVE-2026-2701).
- CVE-2026-2699 is an Execution After Redirect (EAR) vulnerability allowing unauthenticated access to the admin configuration panel.
- Attackers can reconfigure the Storage Repository to point to the webroot and upload a ZIP containing an ASPX webshell.
- The vulnerabilities affect branch 5.x up to version 5.12.3 and are patched in version 5.12.4.
Affected Systems
- Progress ShareFile Storage Zone Controller (Branch 5.x, version 5.12.3 and earlier)
- Microsoft IIS
Vulnerabilities (CVEs)
- CVE-2026-2699
- CVE-2026-2701
Attack Chain
The attacker initiates the attack by requesting /ConfigService/Admin.aspx and ignoring the HTTP 302 redirect, exploiting an Execution After Redirect (EAR) vulnerability to access the admin panel unauthenticated. They then modify the Storage Zone configuration, pointing the 'Primary Zone Controller' to an attacker-controlled server and the 'Network Share Location' to the local IIS webroot. After changing the passphrase, the attacker queries /ConfigService/api/StroageZoneConfig to leak the encrypted TempData2 value, which is decrypted using a hardcoded salt to obtain the Zone Secret. Finally, the attacker uses the Zone Secret to sign a malicious file upload request, uploading a ZIP file containing an ASPX webshell to /upload.aspx with the unzip parameter set to true, resulting in the webshell being extracted into the webroot for remote code execution.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: watchTowr Detection Artifact Generator (DAG)
The article mentions a Detection Artifact Generator (DAG) script provided by watchTowr that checks for the CVE-2026-2699 exposure by verifying if the response to Admin.aspx contains a 302 status code and a body length greater than 10,000 characters.
Detection Engineering Assessment
EDR Visibility: High — EDR will easily detect IIS worker processes (w3wp.exe) spawning cmd.exe or other suspicious child processes, as well as arbitrary file writes (ASPX files) into the webroot. Network Visibility: Medium — Network sensors can detect the anomalous HTTP 302 response with a large content length from Admin.aspx, as well as POST requests to upload.aspx containing the 'unzip=true' parameter. Detection Difficulty: Moderate — While the initial EAR bypass might blend in with normal web traffic if response bodies aren't logged, the subsequent webshell drop and process execution from w3wp.exe are highly detectable standard web exploitation patterns.
Required Log Sources
- IIS Access Logs
- Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
- File Creation Logs (Sysmon Event ID 11)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for HTTP requests to /ConfigService/Admin.aspx that return a 302 status code but have an unusually large response body (e.g., >10,000 bytes), indicating an Execution After Redirect vulnerability. | Web Server Access Logs / WAF Logs | Initial Access | Low |
| Search for file creation events where an ASPX file is written to the ShareFile webroot directory (C:\inetpub\wwwroot\ShareFile) by the IIS worker process. | EDR / File Integrity Monitoring | Persistence | Low |
| Monitor for the IIS worker process (w3wp.exe) spawning command shells (cmd.exe, powershell.exe) or other suspicious binaries, indicating potential webshell execution. | EDR / Process Creation Logs | Execution | Low |
| Look for POST requests to /upload.aspx that include the parameter 'unzip=true', which is abused to extract malicious payloads. | Web Server Access Logs / WAF Logs | Execution | Medium |
Control Gaps
- Lack of response body inspection on 302 redirects by WAFs
- Insufficient input validation on Network Share Location paths
Key Behavioral Indicators
- w3wp.exe spawning cmd.exe
- Large Content-Length on 302 redirect from Admin.aspx
- unzip=true parameter in upload requests
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Upgrade Progress ShareFile Storage Zone Controller to version 5.12.4 immediately.
- Restrict access to the Storage Zone Controller configuration interface (/ConfigService/) to trusted internal IP addresses only.
Infrastructure Hardening
- Implement File Integrity Monitoring (FIM) on the IIS webroot to detect unauthorized ASPX file creations.
- Ensure the IIS worker process runs with the principle of least privilege.
User Protection
- Deploy EDR on all internet-facing IIS servers to monitor for suspicious process ancestry (e.g., w3wp.exe spawning cmd.exe).
Security Awareness
- Educate development teams on the risks of Execution After Redirect (EAR) vulnerabilities and the importance of terminating execution after issuing HTTP redirects.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1505.003 - Server Software Component: Web Shell
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
Additional IOCs
- Urls:
/ConfigService/Login.aspx?callerpage=Admin- Redirect target for the vulnerable Admin.aspx page./StorageCenter/Upload.aspx- Upload page containing the vulnerable ZIP extraction logic.
- File Paths:
C:\inetpub\wwwroot\ShareFile- Default IIS installation directory for ShareFile.
- Command Lines:
- Purpose: Webshell execution test to verify remote code execution | Tools:
cmd.exe,whoami| Stage: Execution |cmd.exe /c whoami
- Purpose: Webshell execution test to verify remote code execution | Tools:
- Other:
unzip=true- Parameter used in the upload request to trigger ZIP extraction.