Progress Software is urging customers using ShareFile Storage Zone Controller deployments to immediately shut down their Windows servers after identifying what it describes as a credible external security threat.
The company has not disclosed the nature of the Progress ShareFile security threat, whether it involves a zero-day vulnerability, or whether any customer environments have been compromised at the time of publication.
“As an industry, we’ve seen this play out before. File transfer solutions hold an organization’s most sensitive data and sit at the heart of critical business processes,” said Benjamin Harris, Founder and CEO of watchTowr, in an email to eSecurityPlanet.
He added, “It’s no surprise that they repeatedly become targets for exploitation.”
Key takeaways
- Progress has instructed customers using ShareFile Storage Zone Controllers to immediately shut down affected Windows servers in response to a credible external security threat.
- The company has not disclosed the nature of the threat or confirmed whether any customer environments have been compromised.
- ShareFile Storage Zone Controllers are internet-facing components that connect ShareFile’s cloud platform with customer-managed on-premises storage, making them an attractive target for attackers.
- Progress said there is currently no indication that ShareFile accounts or customer data have been accessed without authorization, and the investigation is ongoing.
- Organizations should prioritize containment, preserve forensic evidence, investigate for indicators of compromise, and wait for validated remediation guidance before restoring affected systems.
How ShareFile Storage Zone Controllers work
ShareFile is an enterprise file-sharing and collaboration platform that enables organizations to securely store, share, and manage business data.
While many customers use the cloud-hosted service, others deploy a ShareFile Storage Zone Controller on Windows servers to keep files on-premises while using ShareFile for authentication, user management, and collaboration.
In these hybrid deployments, the Storage Zone Controller acts as the intermediary between ShareFile’s cloud services and customer-managed storage.
When users upload or download files, the controller processes those requests and transfers data between the organization’s local storage environment and authorized users.
A compromised controller could provide a pathway to sensitive business data or serve as an entry point to connected systems.
Because these servers are typically internet accessible while also maintaining connectivity to internal storage resources, they represent a key component of an organization’s external attack surface, making them attractive targets for threat actors.
How Progress is responding to the ShareFile security threat
According to Progress, there is currently no indication that ShareFile accounts or customer data have been accessed without authorization.
As a precaution, the company temporarily disabled access to ShareFile accounts using these controllers and instructed administrators to manually shut down every affected Windows server.
Progress said disabling cloud access alone is not sufficient to protect customer environments.
The company is continuing its investigation with internal and external cybersecurity experts and has stated it will provide customers with additional guidance as more information becomes available.
In the meantime, organizations using Storage Zone Controllers should preserve forensic evidence, monitor connected systems for indicators of compromise, and avoid restoring affected servers until Progress releases additional remediation guidance.
How organizations can reduce risk from the ShareFile security threat
Until Progress provides additional technical details, organizations should assume compromise and prioritize containment, visibility, and forensic preservation.
- Power down ShareFile Storage Zone Controllers and keep the systems offline until Progress releases validated remediation guidance and confirms it is safe to restore service.
- Verify the controllers are fully isolated by removing all inbound internet access, restricting east-west network communication, and confirming no alternate paths remain exposed.
- Acquire forensic artifacts before modifying the systems by preserving Windows event logs, EDR/XDR telemetry, authentication records, memory (if feasible), and network logs for incident analysis.
- Conduct a targeted threat hunt across the affected servers for anomalous authentication events, new administrative accounts, scheduled tasks, persistence mechanisms, suspicious PowerShell activity, and unexpected outbound connections.
- Expand the investigation beyond the controllers by reviewing Active Directory, service accounts, connected storage platforms, and identity infrastructure for evidence of credential abuse or lateral movement.
- Validate recovery readiness by confirming the integrity of offline backups and preparing to rotate privileged accounts, service credentials, API keys, and authentication secrets if compromise is identified.
- Test your incident response plan to validate containment, forensic collection, executive communications, recovery procedures, and decision-making before production systems are brought back online.
These measures can help reduce your overall exposure and ensure resilience in the event of a compromise.
Bottom Line
This incident reinforces the importance of maintaining visibility into internet-facing infrastructure and maintaining well-defined response procedures for customer-managed components in hybrid environments.
Until Progress releases additional guidance, security teams should maintain containment, investigate for indicators of compromise, and validate remediation before restoring Storage Zone Controllers to production.
This incident also highlights the value of Zero Trust architectures for helping to limit risk across internet-facing systems and hybrid environments.





