Description
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
Published: 2026-04-02
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows an authenticated user to upload a malicious file to the Progress ShareFile Storage Zones Controller and execute it, resulting in remote code execution. The flaw arises from insufficient validation of uploaded content, permitting arbitrary code to run on the server. Attackers can compromise the confidentiality, integrity, and availability of the affected system and potentially gain full control of the underlying host.

Affected Systems

The affected product is Progress ShareFile Storage Zones Controller. Specific version information is not disclosed, so all deployed instances of this product may be vulnerable unless they have been patched recently. Users with upload privileges in the system are the ones who can exploit this flaw.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical level of severity. While an EPSS score is not available, the vulnerability remains significant. The information does not list it in the CISA KEV catalog, but the impact is severe. The likely attack vector is through an authenticated user who is permitted to upload files, indicating that internal or compromised accounts could be used to trigger the exploit. No additional conditions are specified, so the exploit appears straightforward once an authenticated session is established.

Generated by OpenCVE AI on April 2, 2026 at 15:07 UTC.

Remediation

Vendor Workaround

Reset the secret and password using custom tool provided by ShareFile

OpenCVE Recommended Actions

  • Reset the secret and password using the custom ShareFile tool
  • Review and restrict user roles to limit file upload permissions to only those who need them
  • Apply any vendor patch or upgrade for the ShareFile Storage Zones Controller as soon as it is released
  • Continuously monitor system logs for suspicious file upload or execution activity

Generated by OpenCVE AI on April 2, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Progress
Progress sharefile Storage Zones Controller
Vendors & Products Progress
Progress sharefile Storage Zones Controller

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
Title RCE vulnerability in Progress ShareFile Storage Zones Controller (SZC)
Weaknesses CWE-434
CWE-78
CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Progress Sharefile Storage Zones Controller
cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-04-03T03:55:26.174Z

Reserved: 2026-02-18T17:20:44.202Z

Link: CVE-2026-2701

cve-icon Vulnrichment

Updated: 2026-04-02T13:48:41.958Z

cve-icon NVD

Status : Received

Published: 2026-04-02T14:16:27.917

Modified: 2026-04-02T14:16:27.917

Link: CVE-2026-2701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:21:16Z

Weaknesses