Progress Software has confirmed that a zero-day vulnerability triggered the recent disruption to its ShareFile Storage Zones Controller service, and says access has now been restored to affected customers.

The confirmation comes two days after Progress disabled ShareFile account access for all customers running Storage Zones Controllers, citing what it called a “credible external security threat.” The company told SecurityWeek that access was restored on Tuesday, July 14th, following the shutdown it had previously communicated to customers.

Progress said the issue is a high-severity vulnerability affecting versions 5.x and 6.x of Storage Zones Controller. “We developed and released patched versions to customers, and once patched, these customers’ Storage Zones Controllers will be operational,” the company said.

Path Traversal Flaw Requires Admin Access

According to a private customer notification shared on Reddit, the vulnerability is a path traversal bug that requires an attacker to already hold authenticated administrative privileges. Once exploited, it allows an authenticated admin user to read arbitrary files accessible to the application’s service account, write attacker-controlled content to arbitrary directories, or enumerate the server’s filesystem layout.

Progress has not released full technical details of the flaw and has not responded to further questions from SecurityWeek. The company maintains it has no evidence of unauthorized access to any ShareFile customer account or data, and has not identified any active threat.

Security Researchers Question the Response

WatchTowr founder and CEO Benjamin Harris noted that the scale of the response seems disproportionate to a vulnerability that already assumes attacker administrative access. He questioned whether Progress may have observed additional attacker activity that has not been disclosed, or whether there is more to the underlying issue than the public description suggests.

Harris advised defenders to treat the situation with caution even after patching. Organizations should assume that a vendor instructing customers to disconnect internet-facing servers, followed days later by a patch for what is described as an admin-only exploitable flaw, warrants deeper scrutiny.

Recommended Actions

  • Update ShareFile Storage Zones Controllers to the patched versions immediately
  • Review administrative account activity and access logs for signs of compromise predating the patch
  • Treat any internet-exposed Storage Zones Controller instances as potentially compromised until verified otherwise
  • Monitor for further disclosure from Progress on the nature of the vulnerability