Security researchers warn that chaining two critical vulnerabilities in Progress Software’s ShareFile service could allow an attacker to achieve remote code execution.

The flaws exist in ShareFile Storage Zones Controller, which helps users manage files while they are using the ShareFile software-as-a-service interface, according to researchers at watchTowr Labs.

The vulnerabilities include an authentication bypass flaw, tracked as CVE-2026-2699, and a remote code execution flaw, CVE-2026-2701. The vulnerabilities have severity scores of 9.8 and 9.1, respectively.

Progress Software warned in a security bulletin released Thursday that an attacker could access on-premises Storage Zones Controller configuration pages, allowing them to make changes in system configuration or achieve remote code execution.

There is no immediate evidence of exploitation, but researchers urged users to immediately apply security updates.

Researchers from watchTowr said there were about 30,000 instances visible on the internet, while more targeted analysis from Shadowserver Foundation showed 784 unique IPs were exposed. 

The U.S. and Germany are the most widely exposed geographic locations, according to Shadowserver data. 

Researchers noted that similar file-transfer software has been a target of significant exploitation campaigns in recent years. 

Progress Software dealt with a wave of exploitation activity involving MOVEit file transfer software in 2023. Major government agencies and companies were targeted in a subsequent campaign from the Clop ransomware group. 

A less extensive exploitation wave involving Cleo file-transfer software occurred in 2024.