Skip to content
feed: live
>_ 0dayNews
progress

Progress tells ShareFile on-prem users to shut down servers

Progress emailed on-prem ShareFile Storage Zone customers to shut down servers over a 'credible external threat.' No CVE, no patch — just an offline advisory.

Progress tells ShareFile on-prem users to shut down servers
Image: 0dayNews / 0dayNews Editorial · All rights reserved
kilobaud Dave "Kilobaud" Ferris · Published · 3 min read

Progress Software began emailing ShareFile customers today, July 10, telling them to manually shut down the Windows servers hosting their on-premises Storage Zone Controllers over what the company describes as a “credible external security threat”. The subject line on the outbound email, per BleepingComputer, is “Service Disruption. Immediate Action Required.” Progress says it has “no indication of unauthorized access to any Progress ShareFile accounts or data,” and has promised customers an update within 24 hours.

There is no CVE assigned as of this writing. No patch. No public exploit. No technical detail about what the “credible threat” actually is. The instruction is the entire advisory.

Analysis, not confirmation. Nothing below is a claim that the current ShareFile situation is a repeat of MOVEit — it might not be, and Progress has said as much. What follows is context on why an advisory of this shape from this vendor lands the way it does.

What is actually affected

ShareFile itself is Progress’s cloud file-sharing service. Storage Zone Controllers are the on-premises option — Windows servers that customers deploy locally to host files while ShareFile’s cloud handles authentication and collaboration. Customers who use only the cloud storage are, per the advisory as reported, not the audience for the shutdown request. Customers who front their own data with a Storage Zone Controller are.

That is the population that got the “shut it down” email. Progress has not published version numbers, has not published indicators of compromise, and has not published a specific advisory URL beyond the customer-directed email. The action being requested — cut power to the server — is a stronger signal than the message content is.

The shape of the advisory is familiar

Progress is the same vendor that shipped MOVEit Transfer in May and June of 2023, when CVE-2023-34362, a pre-auth SQL injection, was mass-exploited by Clop before a public patch existed. That campaign moved sensitive files out of hundreds of organizations, and the victim count into the tens of millions, before the industry finished counting. The advisory pattern in the early days of MOVEit was the same one landing today: a vendor asking customers to take an internet-facing file-transfer product offline while it worked out what, exactly, was going on.

Twice this decade, from the same company, for the same category of product, with roughly the same instruction to customers. Whether the underlying cause is the same is a separate question, and one nobody outside Progress can answer yet.

What the audience already knows to do

Sysadmins running Storage Zone Controllers do not need a news writeup to tell them what to do — they got the email — but the piece around the email is worth stating plainly. When a vendor tells its customers to shut down an internet-facing appliance without publishing a CVE or a patch, the vendor is buying time, and the customer is being asked to bear the cost of that time in the form of a service outage. That is a reasonable trade in the short term and a bad one in the long term, and the difference between the two is measured in how quickly the vendor produces something concrete: an advisory, a version, an IOC list, a fix.

Progress has committed to a 24-hour update. That is the number to watch. If concrete detail lands inside that window, the advisory did its job. If it slips, the pattern from 2023 will start to feel less like coincidence and more like the outline of a story that has not yet been reported.

We will update this piece when Progress publishes more, or when a CVE is assigned. Customers running Storage Zone Controllers should follow Progress’s guidance directly rather than any second-hand summary; the BleepingComputer report is the fullest public account of the advisory as of this writing.

Found this useful? Share it.