Skip to content
feed: live
>_ 0dayNews
progress

Progress patches ShareFile zero-day: 5.12.5 and 6.0.2 out

Progress shipped ShareFile Storage Zone Controller 5.12.5 and 6.0.2 to fix a high-severity authenticated path traversal. CVE pending. Patch first, then bring the boxes back up.

Progress patches ShareFile zero-day: 5.12.5 and 6.0.2 out
Photo: Louis Saint-Gaudens, sculptor Wikipedia Saves Public Art / Wikimedia Commons · CC BY 2.0
fuse Marisol "Fuse" Delgado · Published · 2 min read

Progress released ShareFile Storage Zone Controller 5.12.5 and 6.0.2 today, patching the high-severity flaw behind last week’s emergency shutdown of on-prem Storage Zone Controllers. CVE ID is reserved but not yet published — Progress says it’ll go public in about two weeks. Install the patch, restore service, done.

The bug is a path traversal. Per Progress, “an authenticated administrative user can read arbitrary files accessible to the application’s service account, write threat actor-controlled content to arbitrary directories or enumerate the server filesystem layout.” Two things worth pulling out of that. First, it needs admin auth — this is not the same class of hole as the pre-auth RCE watchTowr disclosed on the same product in April (CVE-2026-2699 and CVE-2026-2701). Second, an admin who can read arbitrary files and drop content in arbitrary directories on a Windows Storage Zone Controller isn’t stuck at “read your config” — it’s a real chain if those admin creds ever get away from you.

Progress says it has “no indication of unauthorized access to any ShareFile customer account or data, and we have not identified any active threat.” Fine, treat it as no evidence yet. Storage Zone Controllers didn’t get pulled off the network on a Friday for fun — the original advisory called it a “credible external security threat,” and the CVE process is now being kept slow on purpose so the fix ships before the details do.

The honest timeline:

  • July 10 — Progress emails customers to shut down on-prem Storage Zone Controllers immediately. No CVE, no patch, no detail.
  • July 14 — 5.12.5 and 6.0.2 out; flaw identified as authenticated path traversal, high severity.
  • ~July 28 — CVE ID expected to publish.

Priority order:

  1. Install 5.12.5 (5.x branch) or 6.0.2 (6.x branch) via the Progress support portal before you bring anything back online. Don’t restore service on the vulnerable build “just for a minute” — that’s how these come back.
  2. Review admin activity on your Storage Zone Controllers from before the July 10 shutdown: out-of-window admin logins, unexpected file reads against the service account, unfamiliar admin accounts. If your audit log doesn’t go back that far, that’s the finding.
  3. Rotate ShareFile admin credentials if there’s any doubt about the trail. Cheap step, worth doing.
  4. Then restore service.

Note for anyone whose patch pipeline keys off CVE IDs: this one won’t show up in your vulnerability scanner or KEV feed for another two weeks. Track it by Progress KB and build number until the ID lands. Related coverage: SAP shipped three criticals on the same day’s patch cycle, and Rapid7 disclosed a SharePoint auth-bypass half of a chained pre-auth RCE — Patch Tuesday spillover is heavy this week.

Found this useful? Share it.