Mastodon Mastodon Mastodon Mastodon

Why Progress Is Forcing ShareFile Storage Zone Controllers Offline

Photo of author

CyberSecureFox Editorial Team

Published:

Progress Software has instructed ShareFile customers to immediately shut down Windows servers running the Storage Zone Controller component, citing a “credible external security threat.” The company has preemptively blocked access to affected accounts and engaged outside experts, but has not disclosed either the nature of the threat or the actors behind it. The incident affects only organizations using self‑hosted storage controllers — standard cloud‑hosted ShareFile accounts continue to operate. All administrators of affected systems should comply with the shutdown directive without delay and initiate their incident response process.

Timeline and confirmed facts

Information about the incident became public on 10 July, when one customer posted Progress’s email on Reddit (r/sysadmin). The company confirmed the outage on the ShareFile status page, listing Storage Zone Controller as “not operational” and marking the incident as under investigation (update as of 12:12 EDT).

Storage Zone Controller is a server‑side component that an organization deploys in its own infrastructure. It allows files to be stored locally while using the ShareFile cloud for management and file sharing. Typically, the controller is placed at the network perimeter and is reachable from the internet, which makes it an attractive target for attackers.

What Progress is saying (and not saying)

Progress’s wording deserves special attention. The company stated that it is acting “out of an abundance of caution” and that it has no evidence of unauthorized access to ShareFile accounts or data. However, this assertion is not backed by independent verification and, more importantly, does not rule out compromise of the controllers themselves — it speaks only to accounts and data in the cloud.

The key signal is the nature of the directive itself. Progress has ordered servers to be completely shut down, rather than patched. If a fix were available, the logical step would be to distribute it. A requirement for total shutdown usually points to one of two scenarios: either the vulnerability has no patch yet (a zero‑day situation), or the problem is of a kind that a patch cannot address — for example, compromise of cryptographic keys or an incident on the vendor’s own side. At the time of publication, Progress has not provided a CVE identifier, a technical description of the threat, or any timeframe for restoration of service.

Historical context: a recurring pattern

This is not the first security incident linked to this component. In 2023, when ShareFile still belonged to Citrix, attackers actively exploited CVE-2023-24489, a critical unauthenticated access control flaw in Storage Zones Controller. According to NVD, the vulnerability affected versions up to 5.11.24 and the 5.12.x line up to 5.12.4. At that time, Citrix likewise disconnected unpatched controllers from the ShareFile cloud — the same approach Progress is now taking.

It is worth noting a discrepancy between sources: the original material claims that CISA added CVE-2023-24489 to its Known Exploited Vulnerabilities (KEV) catalog, but according to NVD this vulnerability is not marked as included in the CISA KEV. This inconsistency does not change the seriousness of the current incident, but it does call for caution when drawing historical parallels.

Progress itself, which acquired ShareFile in 2024, previously experienced a large‑scale attack on its MOVEit Transfer product. The 2023 campaign, attributed to the Clop group, affected, by various estimates, thousands of organizations. The company therefore already has experience responding to mass incidents in file transfer products.

In addition, two more critical vulnerabilities in Storage Zone Controller were fixed in early 2025, but Progress has not linked the current threat to either of them, and there is no information about their exploitation.

Risk assessment

The greatest risk falls on organizations whose Storage Zone Controllers are exposed to the internet — which is the standard configuration for this component. Given that the controller processes corporate files and is integrated with the ShareFile cloud infrastructure, a potential compromise could lead to leakage of confidential data, lateral movement within the corporate network, or use of the server as a foothold for further attacks.

The absence of a patch and uncertainty around restoration timelines create operational risks: organizations that rely on ShareFile for file exchange with partners are forced to look for temporary alternatives.

Practical recommendations

  1. Immediately shut down all Storage Zone Controller servers. Do not bring them back online until Progress gives official clearance, even if the software version is current.
  2. Confirm that you are running a current version: 5.12.4 or later in the 5.x line, or any 6.x release. This closes previously fixed vulnerabilities but is not a reason to restart — Progress has not confirmed that updating mitigates the current threat.
  3. Treat every internet‑accessible controller as potentially compromised. Preserve logs and initiate your incident response procedure.
  4. Inspect the controller’s file system for unusual .aspx files in web directories and storage paths that were not created by an administrator.
  5. Monitor updates on the ShareFile status page for information on the nature of the threat and restoration timelines.

Until Progress discloses the nature of the threat and issues concrete recovery instructions, the only safe course of action is to keep controllers offline. Organizations for which file exchange is critical should activate backup data transfer channels and document all response actions — this information will be needed for subsequent incident analysis when Progress finally releases the details.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.