CVE-2026-2699
Published: 02 April 2026
Summary
CVE-2026-2699 is a critical-severity Improper Access Control (CWE-284) vulnerability in Progress Sharefile Storage Zones Controller. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly restricts permitted actions without identification or authentication, preventing unauthenticated access to restricted configuration pages.
Enforces approved authorizations for access to system resources, blocking unauthenticated attackers from reaching sensitive configuration functions.
Restricts access to configuration change capabilities to authorized individuals only, mitigating unauthorized modifications leading to RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote access to restricted configuration pages enabling config changes and RCE directly facilitates T1190 (Exploit Public-Facing Application).
NVD Description
Customer Managed ShareFile Storage Zones Controller (SZC) allows an unauthenticated attacker to access restricted configuration pages. This leads to changing system configuration and potential remote code execution.
Deeper analysisAI
CVE-2026-2699 is a critical vulnerability in the Customer Managed ShareFile Storage Zones Controller (SZC), where an unauthenticated attacker can access restricted configuration pages. This improper access control issue, mapped to CWE-284 and CWE-698, enables attackers to modify system configurations and potentially achieve remote code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severe impact on confidentiality, integrity, and availability.
Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity and lack of prerequisites like privileges or user interaction. Successful exploitation allows modification of sensitive system settings, which could lead to full remote code execution on the affected SZC instance, compromising the entire storage controller environment.
Mitigation details and security advisories are available in the official ShareFile documentation at https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26, along with analysis from WatchTowr Labs on GitHub at https://github.com/watchtowrlabs/watchTowr-vs-Progress-ShareFile-CVE-2026-2699. Security practitioners should consult these resources for patching instructions and workaround guidance.
Details
- CWE(s)