ShareFile SZC Shutdown: Progress Issues Urgent Security Directive
Has anyone else caught the advisory from Progress Software? They are explicitly telling ShareFile customers to shut down their Windows servers running Storage Zone Controllers (SZC) immediately due to a 'credible external security threat.'
Given the severity of the instruction—full shutdown rather than just patching—I suspect we are looking at a zero-day RCE or authentication bypass similar to what we saw with MOVEit, though no CVE has been published yet. If you have these exposed, treat them as compromised until proven otherwise.
If you can't take the server offline immediately, block internet access to the SZC ports at the firewall.
Here is a quick PowerShell snippet to help identify if the service is running across your environment if you need to audit quickly:
Get-Service -ComputerName (Get-Content servers.txt) -Name "Citrix*" | Where-Object {$_.DisplayName -like "*StorageZone*"} | Select-Object MachineName, Name, Status
For SIEM detection, we are currently hunting for suspicious IIS activity, specifically deserialization patterns or unusual file extensions in the StorageCenter directory.
W3CIISLog
| where csUriStem contains "StorageController"
| where csUriQuery has "ViewState" or csUriQuery has ".dll"
| project TimeGenerated, sSiteName, cIP, csUriQuery, scStatus
How is everyone handling the downtime? Are you restoring from backups or just waiting for the green light from Progress?
We pulled the plug on our SZC servers about an hour ago. It's causing a headache for our remote teams who need large file transfers, but 'abundance of caution' usually implies active exploitation in the wild. I'm currently dumping memory from the servers before we patch/reboot to look for web shells. Check your C:\inetpub\wwwroot\Citrix\StorageCenter\ folders for any recently modified .aspx files.
We aren't using the on-prem SZC, we are fully cloud-hosted, so we are waiting for Progress to handle the backend. However, for those on-prem, if you can't shut down, ensure you have strict egress filtering. The SZC only needs to talk to Citrix cloud IPs. Locking it down to just those subnets might save you if you can't kill the box immediately.
This feels like MOVEit all over again. We're seeing similar anomaly detection triggers in our environment—specifically w3wp.exe spawning cmd.exe. If you have EDR, look for that parent-child chain immediately. If you don't have EDR on those legacy IIS boxes, you're flying blind right now. I'd recommend isolating the VLAN.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access