Progress Tells ShareFile Users to Shut Down Storage Zone Controllers Now
Progress Software has issued an urgent warning to ShareFile customers, instructing them to immediately take offline the Windows servers running their Storage Zone Controllers in response to a "credible external security threat." The company confirmed to The Hacker News that it has temporarily disabled access to affected accounts "out of an abundance of caution" while it works with internal and external security experts. According to Progress, there is currently no indication of unauthorized access to ShareFile accounts or data, though it has not disclosed the nature of the threat, the threat actor, or an estimated remediation timeline. The shutdown order became public when a customer posted Progress's email to Reddit's r/sysadmin on July 10, and the company's status page lists Storage Zone Controller customers as "not operational" as of a 12:12 p.m. EDT update.
Only the on-premises Storage Zone Controller is affected; standard cloud-only ShareFile accounts remain functional. The controller is a self-hosted Windows server that lets organizations keep files on their own storage while still using ShareFile's cloud to share and manage them. Because these controllers typically sit at the network edge and are reachable from the internet, they represent a high-value attack surface. Defenders should use a port scanner to confirm whether controllers are publicly accessible, and run an SSL/TLS checker to validate the security of any exposed management interfaces. The decision to order a full shutdown rather than issue a patch is itself significant: if a fix existed, Progress would be telling customers to apply it. The shutdown order strongly suggests a newly discovered flaw the vendor is racing to close, or a threat a patch cannot address, such as stolen signing keys, compromised credentials, or an issue on Progress's own side.
In the meantime, customers should follow the shutdown order and keep affected controllers offline until Progress provides concrete guidance. Admins should also confirm they are running ShareFile Managed File Transfer versions 5.12.4 or later on the 5.x line, or any 6.x release, to close flaws fixed earlier this year — though Progress has not stated these versions mitigate the current threat, so updating is not a substitute for staying offline. Organizations with internet-reachable controllers should treat the situation as a possible incident: preserve logs, initiate the incident response process, and audit web folders and storage paths for unfamiliar .aspx files that could indicate web shell deployment. A clean-looking server is not proof of integrity. ShareFile has faced this exact component before — in 2023, attackers exploited CVE-2023-24489, an unauthenticated flaw in the Storage Zones Controller that CISA later added to its Known Exploited Vulnerabilities catalog, prompting Citrix, then the product owner, to cut unpatched controllers off from the ShareFile cloud, the same access block Progress has now imposed.