Progress Software has verified that a high‑severity zero‑day vulnerability forced the emergency shutdown of ShareFile Storage Zone Controllers last week. The company has issued security updates for all affected versions to remediate the issue.
Key Takeaways
- A high‑severity path‑traversal zero‑day was discovered in ShareFile Storage Zone Controller.
- Progress released patches 5.12.5 and 6.0.2 for immediate deployment.
- No evidence of unauthorized data access has been found, but rapid patching is essential to prevent future exploitation.
Progress Software officially confirmed that a critical zero‑day flaw triggered the emergency shutdown of ShareFile Storage Zone Controllers (SZS) last week. The vulnerability, classified as a high‑severity path‑traversal bug, allows an authenticated administrative user to read arbitrary files accessible to the service account, write attacker‑controlled content to any directory, and enumerate the server’s filesystem layout.
Technical Background
ShareFile’s Storage Zone Controller is a customer‑managed Windows server that bridges on‑premise file storage with the cloud‑based authentication, permission, audit, and collaboration services of the ShareFile platform. This hybrid model offers convenience but also creates a dual attack surface: physical access to on‑premise files and exposure to cloud‑oriented cyber threats. Path‑traversal vulnerabilities are especially dangerous because they can give an attacker full control over the server’s file system, enabling data theft, ransomware encryption, or extortion.
Incident Response and Patch Release
Upon receiving a “credible external security threat” warning, Progress instructed all customers to immediately shut down their Windows servers hosting the controllers. This containment step limited exposure while the security team, together with external cyber‑security experts, investigated the issue. The investigation confirmed the presence of the flaw across all 5.x and 6.x versions, but Progress reported no active breaches or unauthorized access to any customer accounts.
Remediation Measures
Progress has released patched versions 5.12.5 and 6.0.2, urging every organization to apply the updates without delay. Once the patches are installed, the Storage Zone Controllers can be brought back online safely. The company also reserved a CVE identifier for the vulnerability, promising public disclosure within two weeks to aid the broader security community.
Broader Implications
This incident underscores the attractiveness of Storage Zone Controllers to extortion gangs, as they house the very files transferred through the ShareFile ecosystem. Enterprises should reinforce hybrid‑environment defenses with regular code reviews, automated vulnerability scanning, and robust patch‑management workflows. As attackers continuously hunt for such low‑level code flaws, a proactive security posture remains the most effective deterrent.