A newly disclosed pre-authentication RCE chain affects Progress ShareFile Storage Zones Controller 5.x, with the flaw chain combining CVE-2026-2699 and CVE-2026-2701 to compromise exposed customer-managed deployments. According to public advisories, CVE-2026-2699 is an authentication bypass (CVSS 9.8) and CVE-2026-2701 is the remote code execution component (CVSS 9.1), and both were present in StorageCenter_5.12.3 before being fixed in 5.12.4.
The chain can allow an unauthenticated attacker to bypass access controls, abuse upload and extraction behaviour, and place a malicious ASPX webshell in the webroot, turning an exposed server into a remotely controllable foothold. Public reporting indicates the affected component is the customer-managed Storage Zones Controller in the 5.x branch, with versions prior to 5.12.4 impacted. Progress had released a fix on 10 March 2026, and watchTowr publicly disclosed the chain on 2 April 2026.
Although Progress had not confirmed in-the-wild exploitation at the advisories’ time, defenders are urged to upgrade to 5.12.4 or later and review exposure of internet-facing ShareFile infrastructure.