Cyber Resilience

CVE-2026-2701

CriticalRCE

Published: 02 April 2026

Published
02 April 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.4881 98.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2701 is a critical-severity OS Command Injection (CWE-78) vulnerability in Progress Sharefile Storage Zones Controller. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

CVE-2026-2701 is an authenticated remote code execution vulnerability affecting Citrix ShareFile Storage Zones Controller. An authenticated user can upload a malicious file to the server and subsequently execute it, resulting in arbitrary code execution on the affected system. The flaw is tracked under CWEs 78, 94, and 434 and carries a CVSS 3.1 score of 9.1.

An attacker with valid high-privileged credentials can exploit the issue over the network with low attack complexity and no user interaction required. Successful exploitation grants full confidentiality, integrity, and availability impact on the server and potentially other systems within the same security scope due to the changed scope metric.

A vendor advisory addressing the issue is available at https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26. The associated EPSS score has remained flat at 0.0117 with no material increase observed since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Vulnerability enables RCE via unrestricted upload of dangerous files (CWE-434 facilitating T1505.003 Web Shell), OS command injection (CWE-78 mapping to T1059), and exploitation of the remote Storage Zones Controller service (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2699Same product: Progress Sharefile Storage Zones Controller
CVE-2026-3692Same vendor: Progress
CVE-2025-13447Same vendor: Progress
CVE-2025-13444Same vendor: Progress
CVE-2024-56134Same vendor: Progress
CVE-2024-12251Same vendor: Progress
CVE-2024-56132Same vendor: Progress
CVE-2024-11628Same vendor: Progress
CVE-2026-7201Same vendor: Progress
CVE-2024-11627Same vendor: Progress

Affected Assets

progress
sharefile storage zones controller
5.0.0 — 5.12.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the malicious file upload path by enforcing validation of file content, type, and structure before acceptance.

preventdetect

Scans and quarantines uploaded files for malicious code (CWE-434) prior to any execution opportunity.

prevent

Restricts the high-privileged account's ability to upload or trigger execution of arbitrary files on the ShareFile controller.

References