Progress ShareFile Pre-Auth RCE Chain: 30,000 Servers Exposed and Saudi Banks Must Patch Now

On April 2, 2026, watchTowr publicly disclosed a devastating two-bug chain in Progress ShareFile's Storage Zones Controller that grants unauthenticated attackers full remote code execution on customer-managed servers. With roughly 30,000 Storage Zone Controller instances exposed on the public internet and ShareFile widely adopted by financial institutions for regulated document exchange, this is not a theoretical risk — it is an operational emergency for any Saudi bank or insurer still running self-hosted ShareFile 5.x.

The Vulnerability Chain: Authentication Bypass Meets Webshell Upload

The attack exploits two distinct flaws in sequence. CVE-2026-2699 (CVSS 9.8) is an authentication bypass caused by improper handling of HTTP redirects in the ShareFile admin interface. An unauthenticated attacker can craft a request that sidesteps login entirely, landing directly inside the administrative console. No credentials, no session tokens, no MFA challenge — just raw access to every configuration toggle ShareFile exposes.

Once inside, the attacker pivots to CVE-2026-2701 (CVSS 9.1), a remote code execution flaw rooted in the file upload and extraction logic. By modifying Storage Zone configuration settings — including file storage paths and the zone passphrase — the attacker uploads a malicious ASPX webshell disguised as a legitimate archive. ShareFile's extraction routine places the webshell directly into the application's webroot, where it becomes reachable over HTTP. From that point, the attacker has arbitrary command execution under the context of the IIS application pool, which typically runs with elevated privileges.

The entire chain — from first HTTP request to live webshell — requires no prior access, no insider knowledge, and no user interaction. watchTowr confirmed that a working exploit can be constructed from the advisory details alone, meaning threat actors with moderate skill can weaponize this within days of disclosure.

Why ShareFile Matters in Regulated Financial Environments

ShareFile is not a generic cloud storage product. Financial institutions use it precisely because it offers on-premise storage zones that keep regulated data within controlled perimeters — a key requirement for meeting SAMA's data residency and third-party risk expectations under the Cyber Security Compliance Control (CSCC) framework. Audit firms, legal counsel, and compliance officers routinely exchange board reports, internal audit findings, PCI-DSS assessment results, and customer PII through ShareFile portals. A compromised ShareFile server does not just leak documents; it exposes the institution's entire compliance posture, ongoing investigations, and strategic decisions to adversaries.

Self-hosted deployments on the older 5.x branch are specifically affected. Organizations that migrated to ShareFile's cloud-hosted model or upgraded past version 5.12.4 are not vulnerable. But in Fyntralink's experience working with Saudi financial institutions, many on-premise ShareFile deployments lag multiple patch cycles behind, particularly when infrastructure teams require change advisory board (CAB) approval before touching production file-sharing servers.

Impact on Saudi Financial Institutions Under SAMA and NCA Regulations

SAMA CSCC Domain 3 (Technology Operations Management) mandates continuous vulnerability management with defined SLAs for critical and high-severity patching. A CVSS 9.8 authentication bypass paired with a CVSS 9.1 RCE constitutes a critical-severity chain that falls squarely within the 72-hour remediation window most institutions define in their vulnerability management policies. Failing to patch within that window creates a documented non-compliance finding that SAMA examiners will flag during the next assessment cycle.

NCA's Essential Cybersecurity Controls (ECC) reinforce this through Control 2-3-1 (Vulnerability Management) and Control 2-7 (Application Security), both of which require organizations to identify, assess, and remediate vulnerabilities in externally accessible systems on a priority basis. A ShareFile Storage Zone Controller exposed to the internet with a known pre-auth RCE chain is a textbook example of the risk these controls are designed to prevent.

From a PDPL perspective, ShareFile servers processing personal data of Saudi residents fall under the Personal Data Protection Law's breach notification requirements. If an attacker leverages CVE-2026-2699 and CVE-2026-2701 to exfiltrate client documents containing national ID numbers, financial records, or health information, the institution faces mandatory notification to SDAIA within 72 hours and potential penalties for inadequate technical safeguards.

Indicators of Compromise and Detection Guidance

SOC teams should hunt for several indicators immediately. Monitor IIS access logs on ShareFile servers for unusual POST requests to administrative endpoints originating from external IP addresses, particularly requests that bypass the expected authentication redirect flow. Look for newly created .aspx files in the ShareFile webroot directories that do not match known application files — any file created after March 10, 2026, that was not part of a sanctioned patch deployment deserves investigation. Review Storage Zone configuration changes in ShareFile's audit log, focusing on modifications to file storage paths and zone passphrases that were not initiated by authorized administrators.

Network-level detection should flag outbound connections from ShareFile servers to external IP addresses or domains not associated with Progress Software's update infrastructure. Attackers who establish webshell access typically follow up with data exfiltration over HTTP/HTTPS or establish reverse shells to command-and-control infrastructure within minutes of gaining access.

Recommendations and Actionable Steps

1. Patch to ShareFile 5.12.4 or later immediately. Progress released the fix on March 10, 2026. If your CAB process delays production patching, apply the update to a staging environment today and escalate through your emergency change process. A pre-auth RCE chain on an internet-facing file server justifies an emergency change window.
2. Audit internet exposure. Use Shodan, Censys, or your external attack surface management tool to confirm whether any ShareFile Storage Zone Controller instances are directly reachable from the internet. If they are, place them behind a WAF or VPN gateway while patching proceeds.
3. Rotate all ShareFile zone passphrases and administrative credentials. If the server was exposed before the patch was applied, assume the zone passphrase and admin session tokens may have been compromised. Rotate them and invalidate all active sessions.
4. Conduct forensic review of IIS logs and webroot directories. Search for .aspx files created after March 10 that are not part of the ShareFile application. Examine IIS request logs for admin-panel access patterns from unexpected source IPs.
5. Review third-party risk assessments. If your institution uses a managed ShareFile deployment operated by a third-party provider, contact them immediately to confirm their patch status. Under SAMA CSCC's third-party risk requirements, you are accountable for the security posture of your service providers.
6. Update your vulnerability management policy. Ensure your internal SLA for critical-severity vulnerabilities (CVSS ≥ 9.0) on internet-facing systems reflects a 72-hour or shorter remediation window, aligned with SAMA and NCA expectations.

Conclusion

The Progress ShareFile pre-auth RCE chain is a stark reminder that the tools organizations deploy to protect sensitive document exchange can themselves become the breach vector. With 30,000 exposed instances globally, exploitation at scale is a matter of when, not if. Saudi financial institutions that rely on self-hosted ShareFile have a narrow window to patch, hunt for existing compromise, and harden their file-sharing infrastructure before threat actors operationalize this chain in targeted campaigns.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a targeted review of your file-sharing infrastructure security posture.