CVE-2026-2701
Published: 02 April 2026
Summary
CVE-2026-2701 is a critical-severity OS Command Injection (CWE-78) vulnerability in Progress Sharefile Storage Zones Controller. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
CVE-2026-2701 is an authenticated remote code execution vulnerability affecting Citrix ShareFile Storage Zones Controller. An authenticated user can upload a malicious file to the server and subsequently execute it, resulting in arbitrary code execution on the affected system. The flaw is tracked under CWEs 78, 94, and 434 and carries a CVSS 3.1 score of 9.1.
An attacker with valid high-privileged credentials can exploit the issue over the network with low attack complexity and no user interaction required. Successful exploitation grants full confidentiality, integrity, and availability impact on the server and potentially other systems within the same security scope due to the changed scope metric.
A vendor advisory addressing the issue is available at https://docs.sharefile.com/en-us/storage-zones-controller/5-0/security-vulnerability-feb26. The associated EPSS score has remained flat at 0.0117 with no material increase observed since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-18220
Vulnerability details
Authenticated user can upload a malicious file to the server and execute it, which leads to remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables RCE via unrestricted upload of dangerous files (CWE-434 facilitating T1505.003 Web Shell), OS command injection (CWE-78 mapping to T1059), and exploitation of the remote Storage Zones Controller service (T1210).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the malicious file upload path by enforcing validation of file content, type, and structure before acceptance.
Scans and quarantines uploaded files for malicious code (CWE-434) prior to any execution opportunity.
Restricts the high-privileged account's ability to upload or trigger execution of arbitrary files on the ShareFile controller.