ShareFile Storage Zones Back Online After Security Scare
Progress Software has restored access to its ShareFile Storage Zones Controller after a four-day security suspension. The company pulled the plug on July 10 after detecting what it called a credible external threat. By July 14, service was back up.
ShareFile is Progress’s flagship enterprise file-sharing platform. The Storage Zones Controller is the component that gives corporate customers their own private data storage — a critical feature for organizations that need to keep files on-premises or in a controlled cloud environment.
The incident stemmed from a high-severity path traversal vulnerability. Progress confirmed to Infosecurity that attackers exploited the flaw, which affects Storage Zones Controller versions 5.x and 6.x.
“We developed and released patched versions to customers and once patched, these customers’ Storage Zones Controllers will be operational,” the company said.
The patched builds are version 5.12.5 and version 6.0.2.
No CVE Yet — And Here’s Why
Progress hasn’t published a CVE identifier for the vulnerability. The company told BleepingComputer it’s deliberately holding back the details to give customers time to apply the patches before the information goes public. That’s a standard responsible-disclosure playbook move, but it also means security teams can’t look up the flaw in public databases yet.
“At this time, we have no evidence of unauthorized access to any ShareFile customer account or data, and we have not identified any active threat,” Progress told Infosecurity.
That’s good news for the companies that rely on ShareFile for sensitive document sharing. Still, the four-day outage and the need for emergency patching are reminders of how quickly things can go sideways.
A Familiar Pattern for Progress
This isn’t Progress’s first run-in with a serious security incident. In 2023, the company’s MOVEit Transfer product was exploited in a massive ransomware campaign that hit hundreds of organizations worldwide. The Clop ransomware group used a SQL injection vulnerability to steal data from MOVEit servers, and the fallout dragged on for months.
Then in April 2026, a critical vulnerability in MOVEit Automation resurfaced, causing further disruptions.
Each time, Progress has scrambled to issue patches and reassure customers. The ShareFile incident follows the same script: detect, suspend, patch, restore. But for IT teams managing these systems, the pattern is exhausting — and costly.
What Path Traversal Means for Your Data
A path traversal vulnerability lets an attacker read files outside the intended directory. In the context of Storage Zones, that could mean accessing configuration files, credentials, or other sensitive data stored on the server. The severity rating was high, not critical, but the fact that it was actively exploited made the shutdown necessary.
Progress hasn’t shared details on who exploited the flaw or how they found it. The company’s security team is likely still investigating the incident’s scope.
What ShareFile Customers Should Do Now
If you’re running Storage Zones Controller, the fix is straightforward:
- Upgrade to version 5.12.5 or 6.0.2 immediately.
- Check your logs for any unusual activity between July 10 and July 14.
- Review access controls on your storage zones.
Progress says patched controllers will operate normally. Unpatched ones won’t be supported and could remain exposed if the vulnerability details leak before you update.
For organizations that use WhatsApp HD photo sending or other consumer-grade file sharing, this incident is a good reminder that enterprise tools come with their own risks — and responsibilities.
The Bigger Picture: Enterprise File Sharing Under Pressure
Enterprise file-sharing services like ShareFile, Egnyte, and Box have become essential for remote work. They handle contracts, financial data, HR records — the kind of material that keeps compliance officers up at night.
But every feature that adds convenience also adds attack surface. Storage Zones, for example, gives customers control over where their data lives. That’s great for compliance. It also means a vulnerability in that component can expose data that’s supposed to be locked down.
Progress’s decision to suspend the service was aggressive but probably wise. A four-day outage beats a data breach. Still, customers are left wondering: how many more of these incidents are coming?
For now, patch your systems, verify your backups, and keep an eye on Progress’s security advisories. The CVE will drop eventually — and when it does, you’ll want to already be on a fixed version.