Back to Intelligence

Progress ShareFile Storage Zone Controllers: Urgent Shutdown and Active Threat Detection

SA
Security Arsenal Team
July 10, 2026
6 min read

Progress Software has issued an urgent security advisory to customers of its ShareFile platform, specifically those utilizing on-premises Storage Zone Controllers (SZC). Citing a "credible external security threat," the vendor is instructing administrators to immediately shut down these servers. This directive implies the existence of a vulnerability—likely a remote code execution (RCE) or authentication bypass flaw—that is either under active exploitation or poses an imminent risk of weaponization. Given the sensitivity of data typically handled by secure file-sharing platforms, the risk of data exfiltration and ransomware deployment is high. Defenders must treat this as a critical incident and act immediately to isolate affected infrastructure.

Technical Analysis

Affected Component: The threat targets the Progress ShareFile Storage Zone Controller. This component is an on-premises Windows Server application that acts as a gateway between the ShareFile cloud and the organization's local storage (NAS, SAN, or local file systems). It is distinct from the cloud-only ShareFile deployment.

The Threat Landscape: While technical details of the vulnerability are currently limited to allow customers to patch before full disclosure, the urgency of the "shut down" instruction strongly suggests an unauthenticated or low-privilege mechanism leading to full system compromise. Historically, flaws in file transfer appliances often involve path traversal, deserialization, or improper input validation in web endpoints.

  • Attack Vector: External, unauthenticated network access via the SZC web interface.
  • Impact: If exploited, an attacker could gain arbitrary code execution on the Windows Server hosting the SZC. From this vantage point, the actor can access the file storage mapped to the controller, move laterally to the domain, or deploy ransomware.
  • Exploitation Status: Credible threat of active exploitation. The "immediate shutdown" advisory is a standard emergency response when vendors detect exploitation in the wild against a critical flaw for which no patch is immediately available or deployable without risk.

Detection & Response

Defenders must assume that if their SZC was internet-facing, it may have been compromised prior to the shutdown alert. The following detection rules and hunts focus on identifying the primary indicator of compromise for web-facing attacks: the web server process spawning a shell or unauthorized binaries.

Sigma Rules

YAML
---
title: ShareFile SZC Web Shell Activity - IIS Spawning Shell
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects the IIS worker process (w3wp.exe) spawning cmd.exe, powershell.exe, or other shells, indicative of web shell exploitation on ShareFile Storage Zone Controllers.
references:
  - Internal Advisory
author: Security Arsenal
date: 2026/04/08
tags:
  - attack.initial_access
  - attack.execution
  - attack.t1505.003
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\w3wp.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: selection
falsepositives:
  - Legitimate administrative scripts running via IIS (rare)
level: critical
---
title: Suspicious File Creation in ShareFile Web Root
title: Suspicious File Creation in ShareFile Web Root
id: b2c3d4e5-6789-01ab-cdef-2345678901bc
status: experimental
description: Detects creation of common web shell extensions within the ShareFile Storage Zone Controller web directories.
references:
  - Internal Advisory
author: Security Arsenal
date: 2026/04/08
tags:
  - attack.persistence
  - attack.t1505.003
logsource:
  category: file_create
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\C:\inetpub\wwwroot\'
      - '\Program Files\Citrix\Storage Center\'
    TargetFilename|endswith:
      - '.aspx'
      - '.ashx'
      - '.asmx'
      - '.config'
  condition: selection
falsepositives:
  - legitimate software updates or installations
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for IIS worker process spawning suspicious children
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "w3wp.exe"
| where ProcessFileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "cscript.exe", "wscript.exe", "regsvr32.exe", "rundll32.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, ProcessFileName, FolderPath
| extend FullPath = FolderPath \
"\\" \
 ProcessFileName

Velociraptor VQL

VQL — Velociraptor
// Hunt for recent ASPX/ASHX files modified in the last 3 days in web roots
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs="C:/inetpub/wwwroot/**/*.aspx")
WHERE Mtime > now() - 3*24*3600

// Hunt for processes spawned by w3wp.exe
SELECT Pid, Ppid, Name, CommandLine, Exe
FROM pslist()
WHERE Ppid IN (SELECT Pid FROM pslist() WHERE Name =~ "w3wp.exe")
  AND Name IN ("cmd.exe", "powershell.exe", "pwsh.exe")

Remediation Script (PowerShell)

PowerShell
# Script to isolate ShareFile Storage Zone Controller and check for IOCs
# Requires Administrative Privileges

Write-Host "[+] Initiating Emergency Isolation for ShareFile SZC..." -ForegroundColor Cyan

# 1. Stop IIS Services to halt the web application
Write-Host "[+] Stopping IIS Services..." -ForegroundColor Yellow
Stop-Service -Name W3SVC -Force -ErrorAction SilentlyContinue
Stop-Service -Name WAS -Force -ErrorAction SilentlyContinue

# 2. Check for recent suspicious process creations linked to w3wp.exe (Event ID 4688)
Write-Host "[+] Checking Event Logs for suspicious process spawns (Last 24h)..." -ForegroundColor Yellow
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue

if ($events) {
    $suspicious = $events | Where-Object { $_.Message -match 'w3wp.exe' -and $_.Message -match '(cmd.exe|powershell.exe|pwsh.exe)' }
    if ($suspicious) {
        Write-Host "[!] WARNING: Found suspicious process spawns by w3wp.exe:" -ForegroundColor Red
        $suspicious | Select-Object TimeCreated, Message | Format-List
    } else {
        Write-Host "[-] No suspicious w3wp.exe spawns found in logs." -ForegroundColor Green
    }
}

# 3. Identify recently created ASPX/ASHX files (potential webshells)
Write-Host "[+] Scanning for recently created web files (Last 48h)..." -ForegroundColor Yellow
$webRoots = @("C:\inetpub\wwwroot", "C:\Program Files\Citrix\Storage Center")

foreach ($root in $webRoots) {
    if (Test-Path $root) {
        Get-ChildItem -Path $root -Recurse -Include *.aspx, *.ashx, *.asmx, *.config `
        | Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-48) } `
        | Select-Object FullName, LastWriteTime, Length `
        | Format-Table -AutoSize
    }
}

Write-Host "[+] Isolation complete. Keep the server offline until vendor patch is applied." -ForegroundColor Green

Remediation

Immediate Actions:

  1. Shut Down: If you cannot run the script above safely, physically disconnect the network cable or power down the server hosting the Storage Zone Controller immediately.
  2. Block Network Access: If shutdown is not immediately possible, restrict inbound traffic to the SZC at the firewall level to only trusted internal IP addresses (though total isolation is preferred).

Post-Isolation Steps:

  1. Patch Management: Monitor the official Progress Software Support portal for a security patch or hotfix. Do not bring the system back online until the specific update addressing this "credible threat" is applied.
  2. Credential Rotation: Assume that if the server was compromised, cached credentials or NTLM hashes may have been dumped. Rotate passwords for service accounts associated with the ShareFile SZC and any domain accounts used by the server.
  3. Forensic Validation: Conduct a thorough review of the system logs (IIS logs, System, Security) to determine if the vulnerability was exploited prior to the alert. Look for web requests containing suspicious payloads or the web shell activity defined in the detection section.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemprogress-sharefilestorage-zone-controlleractive-exploitationzero-dayremote-code-execution

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.