Description
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
Published: 2026-04-02
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated attacker can reach the Progress ShareFile Storage Zones Controller (SZC) and access restricted configuration pages. This flaw permits the attacker to alter system settings and potentially execute arbitrary code on the target system, exposing the organization to both data tampering and loss of service. The weakness is rooted in insufficient access control (CWE‑284) and insecure design (CWE‑698).

Affected Systems

The vulnerability affects the Progress ShareFile Storage Zones Controller. No specific version range is listed in the available data; any deployed SZC instance is potentially impacted.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical level of risk. The vulnerability is exploitable remotely by an unauthenticated user, meaning any external host can launch an attack without needing credentials. EPSS data is not available, but the absence from CISA’s KEV catalog does not eliminate the likelihood of exploitation; the critical score and ability to achieve remote code execution render the threat substantial and urgent.

Generated by OpenCVE AI on April 2, 2026 at 15:07 UTC.

Remediation

Vendor Workaround

Harden the Storage Zones Controller access using IIS or use a firewall to block network access to the Storage Zones Controller administration pages from untrusted sources.

OpenCVE Recommended Actions

  • Configure IIS to restrict access to the Storage Zones Controller
  • Use a firewall to block network access to the Storage Zones Controller administration pages from untrusted sources
  • Install a vendor patch or upgrade the system once a patch is released
  • Monitor system logs for suspicious activity

Generated by OpenCVE AI on April 2, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Progress
Progress sharefile Storage Zones Controller
Vendors & Products Progress
Progress sharefile Storage Zones Controller

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
Title EAR vulnerability in Progress ShareFile Storage Zones Controller (SZC)
Weaknesses CWE-284
CWE-698
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Progress Sharefile Storage Zones Controller
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-03T03:55:24.742Z

Reserved: 2026-02-18T16:18:30.153Z

Link: CVE-2026-2699

cve-icon Vulnrichment

Updated: 2026-04-02T13:47:48.973Z

cve-icon NVD

Status : Received

Published: 2026-04-02T14:16:27.697

Modified: 2026-04-02T14:16:27.697

Link: CVE-2026-2699

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:17Z

Weaknesses