CVE-2026-2699
Published: 02 April 2026
Summary
CVE-2026-2699 is a critical-severity Improper Access Control (CWE-284) vulnerability in Progress Sharefile Storage Zones Controller. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
Customer Managed ShareFile Storage Zones Controller (SZC) is affected by CVE-2026-2699, a vulnerability that allows unauthenticated attackers to reach restricted configuration pages. This exposure stems from improper access controls (CWE-284) and can be leveraged to alter system settings, with downstream risk of remote code execution. The flaw received a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no credentials or user interaction.
An unauthenticated remote attacker can exploit the issue directly over the network to modify configuration data and potentially achieve code execution on the controller host. Because the entry point is unauthenticated, the attack surface includes any internet-exposed or internally reachable SZC instance running a vulnerable version.
Public references include the vendor advisory at docs.sharefile.com detailing the February 2026 security update for Storage Zones Controller 5.0 and a technical analysis published by watchTowr Labs on GitHub. These resources outline available patches and recommended remediation steps for customer-managed deployments.
The associated EPSS score reached a peak of 0.4159 (current value 0.3203), reflecting a material rise after disclosure that indicates growing exploitation interest and warrants renewed attention from defenders.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18218
Vulnerability details
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote access to restricted configuration pages enabling config changes and RCE directly facilitates T1190 (Exploit Public-Facing Application).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks before permitting access to restricted configuration pages, blocking the unauthenticated entry point described in the CVE.
Requires identification and authentication of users prior to granting access to the SZC controller, eliminating the unauthenticated attack vector that leads to configuration changes and RCE.
Limits privileges on any authenticated session to the minimum required, reducing the impact if an attacker reaches configuration functionality despite other controls.