Menu
Browse

Cyber Incident Victim: Progress Software

Date:

Jul 2026

Location:

Summary

Progress Software detected a credible external security threat that led to a temporary suspension of its ShareFile Storage Zones Controller service. After four days the service was restored once patched versions 5.12.5 and 6.0.2 of the controller were made available to customers. The disruption stemmed from a high severity path traversal vulnerability affecting versions 5.x and 6.x, for which the vendor has not yet published a CVE identifier to allow time for patching. The company stated there is no evidence of unauthorized access to customer accounts or data and no active threat was identified. It noted a prior security incident involving its MOVEit Transfer product and a separate vulnerability reported in MOVEit Automation.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 0 motives 0 techniques
Threat Actors Type Location
0 actors Available to members Available to members

Description

On July 10, 2026, Progress Software detected a credible external security threat that led the company to temporarily suspend its ShareFile Storage Zones Controller service. The suspension lasted four days, during which access to the controller was unavailable for ShareFile customers who rely on it for private data storage. ShareFile is described as Progress Software’s flagship enterprise file‑sharing offering, and the Storage Zones Controller component provides the underlying storage capability for the service. On July 14, 2026, Progress announced that the service had been resumed after the suspension period ended.

Cyber Incident Image

Progress Software confirmed to Infosecurity that the incident resulted from the exploitation of a high severity path traversal vulnerability affecting Storage Zones Controller versions 5.x and 6.x. The company stated that it had developed and released patched versions of the controller to address the vulnerability. According to Progress, once customers apply the patches, their Storage Zones Controllers will return to an operational state. The specific patched releases are identified as version 5.12.5 for the 5.x line and version 6.0.2 for the 6.x line.

Progress did not disclose a common vulnerabilities and exposures (CVE) identifier for the flaw at the time of the public announcement. The company told BleepingComputer that it is withholding the CVE identifier to give customers sufficient time to deploy the patches before the details become publicly available and could be used by threat actors. At the time of the update on July 15, 2026, Progress reported that there was no evidence of unauthorized access to any ShareFile customer account or data stemming from the incident. The company also said that it had not identified any active threat targeting the Storage Zones Controller after the service was restored.

Progress Software referenced its prior security history, noting the 2023 breach of its MOVEit Transfer product that was exploited in widespread ransomware attacks. The firm also mentioned that a critical vulnerability in MOVEit Automation was reported in April 2026, which had led to further disruptions. These historical incidents were cited to illustrate the broader security context in which the ShareFile Storage Zones Controller event occurred. The narrative concludes with the confirmation that the ShareFile Storage Zones Controller service is now operational for customers who have applied the available patches.

Sources
Sources available to members
1 source