DEV Community

Etairos.ai
Etairos.ai

Posted on • Originally published at threat-intelligence.redeyesecurity.com

Progress Orders Emergency Shutdown of ShareFile Storage Zone Controllers Over Unnamed Threat

TL;DR

  • what: Progress Software ordered all ShareFile customers running self-hosted Storage Zone Controllers to shut the Windows servers down in response to a 'credible external security threat' it has not described.
  • impact: Storage Zone Controllers are offline and listed as 'not operational' worldwide, and any controller reachable from the internet should be treated as a possible incident, not just a service outage.
  • fix: There is no patch; keep controllers offline, confirm you are on 5.12.4+ or a 6.x release, preserve logs, and hunt for unfamiliar .aspx files and unexpected storage paths before any restart.
  • who: Any organization running a self-hosted ShareFile Storage Zone Controller is exposed; cloud-only ShareFile accounts are not affected.

Progress Software has told every ShareFile customer running a self-hosted Storage Zone Controller to shut the Windows servers down. Not patch them, not firewall them: power them off. The company confirmed to The Hacker News on July 10 that it is responding to a 'credible external security threat,' and it has temporarily blocked the affected accounts from the ShareFile cloud while it investigates with internal and external security experts. Its status page lists Storage Zone Controller customers as 'not operational' as of a 12:12 p.m. EDT update. Progress says it has no indication of unauthorized access to any ShareFile accounts or data. It has not said what the threat is, who is behind it, or when customers can safely bring the servers back.

What is actually affected

Only the Storage Zone Controller is in scope. Standard cloud-only ShareFile accounts are unaffected. The controller is the on-premises component of ShareFile's hybrid model: a Windows server a customer runs itself so files stay on its own storage while ShareFile's cloud handles sharing and management. To do that job it typically sits at the network edge, reachable from the internet. That placement is exactly what makes it valuable to attackers, and it is why an unexplained shutdown order for this specific component deserves more attention than a routine advisory. The order became public the way these things often do: a customer posted Progress's email to Reddit's r/sysadmin on July 10, and the status page confirmation followed.

The shutdown order is the tell

Read the response, not the statement. Vendors do not order customers to take revenue-relevant infrastructure fully offline when a fix exists; they tell customers to apply the fix. A shutdown order with no accompanying patch most plausibly means a newly discovered flaw that Progress is racing to close. The same move would also fit a threat a patch cannot address, such as stolen signing or authentication keys, or a compromise on Progress's own side of the service. Either way, the absence of a patch is the operative fact for defenders. Note also the careful wording: 'no indication of unauthorized access to ShareFile accounts or data' says nothing about the controllers themselves, which run on customer networks and hold customer files.

⚠️ Treat internet-facing controllers as a possible incident — If your Storage Zone Controller was reachable from the internet, do not treat this as a maintenance event. Preserve IIS and application logs now, before any rebuild, and start your incident-response process. Check web folders for unfamiliar .aspx files and look for storage paths you did not configure. A clean-looking server is not proof of a clean server; webshells on this product class are small and quiet.

What to do now

  • Comply with the shutdown order immediately and keep controllers offline until Progress identifies the threat and clears a restart. Progress has already cut affected accounts off from the cloud, so staying up buys you nothing.
  • Verify your version: 5.12.4 or later on the 5.x line, or any 6.x release. That closes the flaws patched earlier this year, but Progress has not said it addresses the current threat, so being current is not permission to restart.
  • Preserve logs from the controller and any upstream proxies or firewalls before touching the box. If the threat turns out to be pre-shutdown exploitation, this evidence is the difference between an answer and a guess.
  • Hunt for compromise indicators: unexpected .aspx files in web directories, storage zone paths you did not create, new local accounts, and outbound connections that do not belong.
  • Inventory downstream exposure. Know what data lives in the zones behind each controller so you can scope notification obligations quickly if this becomes a confirmed breach.

This product has been here before

The history is why urgency is warranted. In 2023, while ShareFile still belonged to Citrix, attackers exploited an unauthenticated flaw in the same Storage Zones Controller, CVE-2023-24489. CISA flagged it as actively exploited, and Citrix responded by cutting unpatched controllers off from the ShareFile cloud, the same access block Progress has now reimposed. Progress itself, which acquired ShareFile in 2024, carries the scar tissue of MOVEit: the 2023 zero-day exploited by the Clop extortion group that hit more than 2,700 organizations and remains one of the largest mass file-transfer compromises on record. More recently, watchTowr disclosed two critical Storage Zones Controller flaws in April that Progress had patched in March. Progress has not connected the current threat to those bugs, and neither has been reported as exploited, but the pattern is consistent: internet-facing file-transfer infrastructure keeps producing high-severity, remotely reachable flaws, and attackers keep showing up for them.

Version check is necessary, not sufficient — Running 5.12.4+ or 6.x closes the March 2026 flaws, and confirming your version now saves time later. But Progress has explicitly not said current versions clear this threat. The only sanctioned state today is offline.

The bottom line

A vendor with MOVEit in its recent past just told customers to unplug an internet-facing file-transfer component rather than patch it. That is the strongest signal available that no fix exists yet, and it puts the burden on defenders to assume the worst about any controller that was exposed. Shut down, preserve evidence, hunt, and hold the restart until Progress names the threat. Given how quickly Clop and its imitators have historically moved on file-transfer flaws once details surface, the window between disclosure and mass exploitation on this product class is measured in days. RedEye is tracking the incident and will update as Progress releases technical details.


Originally published on RedEye Threat Intelligence.

Top comments (0)