Progress Software confirmed this and asked ShareFile customers to shut down Windows Server running their Storage Zone Controller hacker news It is responding to a “credible external security threat”.
The company has temporarily disabled access to the affected accounts, a move it says it took “out of an abundance of caution” while working with internal and external security experts.
It says it has no sign of unauthorized access to any ShareFile accounts or data, and that it notified customers after learning of the threat.
Progress did not say what the threat was or who was behind it.
The order became public when a customer posted the company’s email on Reddit’s r/sysadmin on July 10. Progress confirmed the disruption on its status page, listing Storage Zone Controller customers as “not in operation” and saying the incident was under investigation as of a 12:12 a.m. EDT update.
Only storage zone controllers are affected, not standard cloud-only ShareFile accounts. The controller is a server that the company runs itself, so files can remain on its own storage while it still uses ShareFile’s cloud to share and manage them.
The controller usually sits at the edge of the network, accessible from the Internet. That performance makes it both useful and a target. Ordering customers to take it completely offline instead of patching it is a notable move.
That choice is a statement in itself. If a solution to this threat existed, Progress would tell customers to implement it; The shutdown command shows that there is none yet. This usually means the company is rushing to close a newly discovered flaw, although the same move would also be appropriate for a threat that the patch can’t address, such as stolen keys or a problem on Progress’s own end.
Its statement that no accounts or data were accessed is carefully worded, and does not rule out trouble on the controllers themselves.
What do we do now
- Follow the first shutdown order. Take affected controllers offline until progress determines what the threat is and when it is safe to restart.
- Separately, confirm that your version is current: 5.12.4 or later on the 5.x line, or a 6.x release. This will fix the bugs fixed earlier this year, but Progress hasn’t said it removes the existing threat, so don’t take that as permission to restart.
- If a controller is available from the Internet, handle this as a potential incident. Save the logs and start your incident-response process, then check for unfamiliar .aspx files in web folders and storage paths you haven’t set up. A neat looking server is not proof that it is clean.
ShareFile has faced this before. In 2023, while the product was still owned by Citrix, attackers exploited an unpatched flaw in the same storage zone controller (CVE-2023-24489).
CISA actively flagged it as an exploit, and Citrix cut off unpatched controllers from the ShareFile cloud, the same access block Progress has now imposed.
Progress, which acquired ShareFile in 2024, had already suffered its own massive file-transfer attack: MOVEit, whose 2023 zero-day exploit was exploited by the Clop group and affected more than 2,700 organizations.
Storage Zone Controller also had two serious flaws that were disclosed by Watchtower in April and patched by Progress in March, although the company has not linked them to the current threat, and neither exploit has been reported.
The central question still remains unanswered: Progress has taken these systems offline and is working with outside experts, but has not said what the threat is or when customers can safely bring them back online.