Progress ShareFile Path Traversal Zero-Day Confirmed, Patches Out

Progress confirmed a path traversal zero-day in ShareFile SZC 5.x and 6.x after ordering an emergency shutdown. Patches 5.12.5 and 6.0.2 are now available.
Table of Contents
    Add a header to begin generating the table of contents

    Progress Software confirmed that the emergency shutdown of ShareFile Storage Zone Controller servers it ordered to customers was triggered by a high-severity zero-day path traversal vulnerability affecting all 5.x and 6.x versions of the on-premises component. Patches 5.12.5 and 6.0.2 are now available. The preemptive shutdown, which Progress ordered before publicly disclosing the vulnerability’s technical details, drew comparisons to the pre-exploitation window that preceded the MOVEit Transfer attacks — while demonstrating a meaningfully different response.

    Path Traversal in ShareFile Storage Zone Controller 5.x and 6.x

    Progress Software’s July 14 advisory confirmed that the vulnerability class is path traversal — a flaw category that allows an attacker to navigate outside intended directory boundaries on the server’s filesystem. The affected component is the ShareFile Storage Zone Controller, the on-premises module that enterprises deploy to store ShareFile data locally under their own custody while maintaining cloud-side management integration.

    All Storage Zone Controller deployments running 5.x or 6.x software versions are affected. Progress released patched versions 5.12.5 for the 5.x branch and 6.0.2 for the 6.x branch, and is urging immediate installation. Progress stated at time of disclosure that it had found no indication of unauthorized customer data access, and that the preemptive shutdown was triggered by credible threat intelligence received before the vulnerability became publicly known.

    What the SZC 5.x and 6.x Path Traversal Allows Through the Service Account

    An authenticated administrator who exploits the path traversal vulnerability can perform three distinct filesystem operations via the application’s service account: reading arbitrary files accessible to that service account, writing attacker-controlled content to arbitrary directories on the server, and enumerating the server filesystem layout. The cumulative effect is effectively full read/write access to everything the ShareFile service account can reach on the host system.

    In enterprise deployments, ShareFile service accounts typically hold access to the directories used to store client documents, contract files, financial records, and other sensitive business content that organizations route through a managed file transfer platform. The service account may also reach application configuration files and stored credential material that the SZC uses to authenticate to cloud-side integration endpoints. A path traversal at this privilege level gives an attacker both exfiltration access and the ability to plant attacker-controlled content on the server.

    A CVE identifier has been reserved for the vulnerability. Progress stated it would not publish the CVE for two weeks — a coordinated disclosure approach designed to give customers a patching window before threat actors gain access to the technical details that would enable automated exploitation.

    How Progress’s Preemptive SZC Shutdown Differed from the MOVEit Pattern

    Security analysts noted that the emergency shutdown — issued July 13 with no technical detail — carried structural similarities to the pre-disclosure pattern that preceded MOVEit Transfer’s 2023 exploitation by the Clop ransomware group. In that case, MOVEit vulnerabilities were exploited at scale across organizations before patches could be widely deployed, resulting in breaches at hundreds of organizations.

    Progress’s handling of the ShareFile situation differs in two respects. First, Progress ordered customers to shut down cloud-side access to the SZC proactively, before vulnerability details were public and before exploitation had been confirmed. Second, Progress confirmed on July 14 that no unauthorized access to customer data had been detected at the time of disclosure. The coordinated approach — shutdown first, confirm the vulnerability class, release patches, then withhold the CVE for two weeks — is intended to compress the window between patch availability and the point at which threat actors can develop reliable exploit code.

    Available Patches and Upgrade Path for SZC Deployments

    Organizations running ShareFile Storage Zone Controller 5.x should upgrade to version 5.12.5. Those running 6.x should upgrade to version 6.0.2. Progress’s advisory does not list any compensating controls or interim mitigations; the upgrade to a patched build is the only described remediation.

    Administrators should also review filesystem logs and application access logs for activity that occurred between the July 13 shutdown order and the completion of the patch installation. Because the path traversal requires authenticated administrator credentials, organizations should additionally audit which accounts hold administrative access to the SZC and whether any unusual administrator login activity appears in logs from the period before the shutdown was ordered. Progress’s advisory that it found no evidence of unauthorized access applies to the company’s own telemetry; individual organizations should conduct their own review of their specific SZC deployments.

    Related Posts