Progress Software sent an urgent email to ShareFile customers the evening of July 10 with a subject line that left no room for ambiguity: “Service Disruption. Immediate Action Required.” The company told customers running Storage Zone Controllers to shut down their Windows servers immediately, citing what it called a “credible external security threat.”
The email became public when a system administrator posted it to Reddit’s r/sysadmin a few hours later.
Storage Zone Controllers are the on-premises component of ShareFile’s hybrid deployment model. Organizations that use them keep their files on their own infrastructure while ShareFile’s cloud handles authentication, user management, and collaboration. Because the controller sits between the cloud platform and company-managed storage, handling every file upload and download, it typically lives at the network’s edge with internet exposure. That’s what makes it useful, and that’s what makes it a target.
Progress confirmed it’s responding to a credible external security threat and said it took the access-disabling step out of an “abundance of caution” while working with internal and external security experts.
“We have reason to believe there is a credible external security threat targeting Progress Software’s ShareFile Storage Zone Controllers. Currently, we have no indication of unauthorized access to any Progress ShareFile accounts or data. As a precaution, we have temporarily disabled access to ShareFile accounts using the Storage Zone Controllers, including yours.” reads the letter. “IMMEDIATE ACTION REQUIRED: You must manually shut down the server hosting your Storage Zone Controllers. This is a critical additional step to ensure the safety of your data.”
Cutting off cloud-side access apparently wasn’t considered sufficient on its own. Progress also instructed customers to manually shut down the physical Windows servers hosting their Storage Zone Controllers, calling it a critical additional step. The ShareFile status page confirmed the disruption at 12:12 p.m. EDT, listing Storage Zone Controller customers as not operational with an active investigation underway. Only the hybrid Storage Zone Controller deployment is affected. Standard cloud-only ShareFile accounts are not impacted.
Progress hasn’t disclosed details about the threat, who is behind it, whether any controller has been compromised, or when customers can safely restart. It is also unknown which version is potentially impacted by the current threat. That’s a narrow information window for organizations that may be sitting on sensitive files and need to assess their exposure.
ShareFile’s Storage Zone Controllers have a documented history with exactly this kind of threat. In 2023, while the product still belonged to Citrix, attackers exploited an unauthenticated remote code execution flaw, CVE-2023-24489, in the Storage Zones Controller. CISA flagged it as actively exploited, and Citrix cut unpatched controllers off from the ShareFile cloud, which is precisely the same access block Progress has now imposed. Progress acquired ShareFile in 2024.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Progress Told ShareFile)