by datastudy.nl

Field notes for teams tracking critical CVEs and major incidents

Engineering

ShareFile Storage Zone Controllers shut down, no patch yet

ShareFile Storage Zone Controllers are on-prem servers Progress ordered shut down on July 10 over a credible threat with no patch available.

Abstract data visualization of ShareFile Storage Zone Controllers response urgency at 5 on a 1 to 5 scale, the highest level, compared to prior Progress incidents MOVEit Transfer and MOVEit Automation at 4.
ShareFile Storage Zone Controllers response urgency rated 5 of 5, the highest vendor response level among recent Progress Software incidents. Source: Data Today analysis. Data Today benchmark.

When a vendor tells you to turn off its product, the vulnerability is bad enough that the fix is "stop running it." That is where Progress Software put ShareFile customers on July 10, 2026. The company began emailing customers running on-premises ShareFile Storage Zone Controllers, instructing them to immediately shut down their Windows servers over what it describes as a "credible external security threat." No patch exists. No workaround exists. The only prescribed action is to power off.

Progress also took the rare step of temporarily disabling access to affected accounts, a move it called cautionary while it works with internal and external security teams. For any team running Storage Zone Controllers in production, the operational math is simple: your file-sharing service goes offline now, or you accept a threat the vendor itself considers credible enough to pull the plug on its own customers.

What did Progress actually tell ShareFile customers?

Progress Software began emailing ShareFile customers who deploy on-premises Storage Zone Controllers on July 10, 2026, with a directive to immediately shut down the Windows servers running those controllers. The company confirmed to The Hacker News that it is responding to a credible external security threat targeting the on-premises secure file-sharing software. BleepingComputer independently reported the same shutdown directive, noting that Progress is contacting affected customers directly by email.

Storage Zone Controllers are the on-premises component of ShareFile that lets organizations store shared files on their own infrastructure rather than in a cloud environment. They sit inside the corporate network, handle file storage and access controls, and act as the bridge between ShareFile's cloud services and internal file systems. Shutting them down means file sharing through ShareFile stops working for any configuration that depends on on-prem storage.

Progress described its decision to disable account access as an action taken "out of an abundance of caution." The company has not published a CVE, a technical advisory, or a workaround. It has not specified a timeline for a patch or indicated when services can be safely restored. It has not disclosed whether it has observed active exploitation, how many customers are affected, or what attack vector the threat uses.

The absence of any technical detail at this stage is itself a signal. This is containment through decommissioning: turn off the service, eliminate the attack surface, and sort out the rest after the immediate risk is contained.

How does this fit Progress's recent security track record?

Progress Software has a history of high-impact security incidents in its file-transfer product line. The 2023 MOVEit Transfer vulnerability, CVE-2023-34362, was exploited by the Cl0p ransomware group before a patch was available and ultimately affected thousands of organizations worldwide, from financial institutions to government agencies. That incident reset how many security teams think about file-transfer software as an attack surface.

Now, in July 2026 alone, Progress has two active security emergencies. Alongside the ShareFile shutdown, the company issued an urgent advisory for a critical authentication bypass in MOVEit Automation tracked as CVE-2026-41941. That flaw lets unauthenticated attackers bypass login protections and execute arbitrary commands with the privileges of the MOVEit Automation service. Progress confirmed that scanning and exploitation attempts were already underway at the time of disclosure. A patch exists for that one.

The contrast between the two responses tells you something. MOVEit Automation gets a CVE, a patch, and a standard "patch now" advisory. ShareFile Storage Zone Controllers get a shutdown order with no patch, no CVE, and no restoration timeline. The severity ladder in Progress's own response posture indicates which one they consider more immediately dangerous. The chart below maps the response urgency across three Progress incidents on an editorial 1 to 5 scale.

Bar chart showing response urgency for three Progress Software incidents: MOVEit Transfer May 2023 at 4, MOVEit Automation July 2026 at 4, and ShareFile Storage Zone Controllers July 2026 at 5 on a 1 to 5 scale.
Response urgency for three Progress Software security incidents on a 1 to 5 editorial scale. MOVEit Transfer (May 2023) and MOVEit Automation (July 2026) both rated 4. ShareFile Storage Zone Controllers (July 2026) rated 5, the highest level. Source: Data Today analysis. Data Today benchmark.

The ShareFile situation earns the highest urgency rating because the vendor's prescribed remediation is the most extreme action available: stop running the software entirely. When a vendor chooses that path over releasing a patch, the threat either moves faster than a patch cycle or the vulnerability is structural enough that a hotfix would not reliably close it.

What does a Storage Zone Controller shutdown mean for your infrastructure?

If your organization runs ShareFile with on-premises Storage Zone Controllers, the immediate operational impact is a file-sharing outage with no estimated end date. Since the July 10 directive, every workflow that depends on ShareFile for large file transfer, partner document exchange, or internal collaboration has been down until Progress signals it is safe to restore. You need a stopgap. An alternative secure transfer path, even a temporary SFTP server or a cloud storage bucket with expiring links, keeps files moving while the primary service stays dark. The same way you would build a bridge plan for a critical SharePoint patch window, you need continuity coverage for this outage.

The security impact runs deeper than the operational one. A compromised Storage Zone Controller is a potential credential store, a lateral movement pivot, and a data exfiltration channel all concentrated in one system. The controller handles file storage, authentication, and the connection between on-prem systems and ShareFile's cloud tier. If an attacker gained control of it, they could access every file flowing through the controller, harvest credentials cached for cloud connectivity, and establish a trusted foothold inside the network perimeter.

If your controllers were exposed to the internet, even behind a VPN or firewall, you should treat them as potentially compromised until you have evidence otherwise. That means rotating every credential the controllers had access to: service accounts, cloud storage keys, API tokens, and embedded SFTP or FTPS credentials. It also means preserving logs now, before retention policies or scheduled rotations erase the forensic baseline you may need.

What should you do in the next 24 hours?

The immediate action list is short and non-negotiable:

  • Shut down all Storage Zone Controller servers. Do not disable specific services or ports. Stop the controller services entirely or power off the machines.
  • Verify account status with Progress. Check whether the company has disabled access to your ShareFile account. If it has, document the timestamp. If it has not, contact support to confirm your account state.
  • Inventory everything the controllers touched. List every credential, file path, cloud storage connection, and API integration the controllers could reach. This is your rotation and review list.
  • Rotate credentials. Start with service accounts and cloud storage keys. Move to embedded SFTP, FTPS, and HTTPS credentials. Reissue SSH keys and TLS certificates if the controllers handled them.
  • Export logs to cold storage. Pull controller logs, Windows event logs, and any ShareFile audit data before retention policies overwrite them. If this becomes a forensic investigation, you need that baseline intact.
  • Stand up an alternative file transfer path. A temporary SFTP server or a shared cloud storage bucket with access controls buys you operational continuity while the primary service is down.
  • Monitor for the safe-to-restore signal. Progress has not committed to a patch timeline. Watch its security advisories page for updates, hotfixes, or guidance on when it is safe to bring controllers back online.

If your controllers were internet-facing, escalate the credential rotation to include everything the controllers could reach on your internal network. Look for signs of persistence: new local admin accounts, new scheduled tasks, modified services, unexpected outbound connections. If you find indicators of compromise, isolate the host, take a forensic snapshot, and initiate your incident response process.

The MOVEit Automation advisory from the same vendor describes the same class of indicators to hunt for, including new or modified tasks that call cmd.exe, powershell.exe, curl, or unusual binaries. That detection playbook applies here even though the two vulnerabilities are in different products.

The shutdown is the advisory

Progress did not issue a CVE, a CVSS score, or a technical workaround. It told customers to turn the machines off. In enterprise software, that is the loudest alarm that exists. The company is willing to absorb the operational cost of every affected ShareFile customer going dark rather than risk what happens if those servers stay online. Until Progress publishes a patch and a clear signal that restoration is safe, the controllers stay down, the credentials rotate, and the logs stay preserved.

Sources