```html ``` Progress Just Told ShareFile Customers to Physically Power Down Their Servers. No Patch. No CVE. No Explanation.
top of page

Progress Just Told ShareFile Customers to Physically Power Down Their Servers. No Patch. No CVE. No Explanation.

  • Writer: Patrick Duggan
    Patrick Duggan
  • a few seconds ago
  • 4 min read

When a software vendor tells you to apply a patch, that is a Tuesday. When a vendor tells you to physically walk over to the server and pull the power — and cannot tell you which vulnerability, cannot give you a CVE, and does not have a fix — that is something else. That is the vendor knowing something they are not saying. Progress Software just did exactly that to its ShareFile customers, and the silence is the story.



What Progress said


Progress emailed customers running on-premises ShareFile Storage Zone Controllers and told them to immediately power down the servers hosting those components, citing a "credible external security threat" against the platform. Not throttle it. Not firewall it. Shut it off. Progress says it has already disabled account access through the Storage Zone Controllers for all affected customers itself, and it is telling administrators that manually shutting down the underlying servers is a "critical additional step" to protect their data.


Read what is missing from that advisory, because the absences are load-bearing. There is no CVE. There is no patch — Progress explicitly has no fix available. There is no technical description of the threat. Progress says it has no current indication of unauthorized access to ShareFile accounts or data, which is the reassuring sentence, and yet it is still telling thirty thousand-odd internet-facing servers to go dark. Companies do not tell paying customers to unplug production file-transfer infrastructure on a vibe. "Credible external security threat" with no details and no patch is the language of an active, unresolved incident that the vendor understands better than it is willing to print.



The part they went out of their way to say


Here is the detail that makes this more interesting, not less. Storage Zone Controller already had a serious problem this year. In April, watchTowr disclosed two chainable vulnerabilities in the component: CVE-2026-2699, an authentication bypass scored 9.8, and CVE-2026-2701, a remote code execution flaw scored 9.1. Chained, they let an unauthenticated attacker reach restricted configuration pages and upload a malicious ASPX webshell for full remote code execution with no credentials at all. watchTowr's scan found nearly thirty thousand visible instances. The fix then was to upgrade to 5.12.4 or move to the v6 branch, which was never affected.


You would assume the July emergency is those bugs coming home. Progress went out of its way to say it is not. They explicitly declined to connect this incident to CVE-2026-2699 or CVE-2026-2701. Which leaves two possibilities and both are uncomfortable: either there is a new, undisclosed vulnerability in Storage Zone Controller serious enough to justify pulling the plug with no patch in hand, or the threat is something about the platform's architecture that a patch cannot address quickly. Neither of those is a story a vendor tells happily, which is probably why the advisory is as sparse as it is.



Why this rhymes


Progress is not a random name to have in this position. This is the company behind MOVEit Transfer, the managed-file-transfer product whose 2023 zero-day became one of the largest mass-exploitation events in recent memory, feeding Cl0p's extortion machine for over a year. Managed file transfer is a category attackers love precisely because the product's whole job is to sit on the internet and hold everyone's sensitive files in one place — it is a vault with a front door, and the front door has to be reachable. ShareFile is that same shape. When the vendor of a MOVEit-class product tells you to unplug with no explanation, the pattern-matching writes itself, and the correct posture is to assume the worst and act now, not wait for the CVE that will explain it later.



What to do


If you run on-premises ShareFile Storage Zone Controllers, follow the advisory — power the servers down, now, and treat the data they touched as potentially exposed until Progress says otherwise in writing. If you are on the v6 branch you have less to worry about from the April chain, but the July advisory is not scoped to a version, so do not assume you are clear on the current threat. Watch Progress's advisory page directly rather than waiting for it to reach you; the email is how customers found out, and email is slow.


Held to about ninety-five percent, because the entire point of this post is that the facts are not public yet: we do not know what the threat is, and neither, apparently, will you until Progress decides to describe it. But you do not need the CVE to make the call. A vendor that tells you to unplug is a vendor telling you the quiet part with its actions instead of its words. Believe the actions.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page