Particle.news

Progress Issues Patch After Zero-Day Forces ShareFile Storage Zone Shutdown

A path traversal bug that lets an authenticated admin read or write arbitrary files prompted Progress to require customers to take internet-facing controllers offline and reinstall updates before reconnecting.

Overview

  • Progress confirmed on Tuesday that a high-severity zero-day path traversal flaw in ShareFile Storage Zone Controller 5.x and 6.x caused last week’s emergency shutdown and has reserved a CVE to be published in about two weeks.
  • The company released patched controller versions 5.12.5 and 6.0.2 and instructed customers to install those updates before bringing internet-facing Storage Zone Controllers back online.
  • Progress says it has no evidence of unauthorized access or an active threat so far but declined to provide full technical details publicly and has not answered all follow-up questions from reporters.
  • Security experts urged caution because Progress’s description says the bug requires authenticated administrative access, which normally would not trigger such an aggressive disconnect order and raises questions about undisclosed risk or observed activity.
  • Storage Zone Controllers keep transferred files on customer-managed Windows servers, so the outage halted access for affected customers and revived concerns about data-theft and extortion risks and the need for post-patch validation of systems.