ForumsGeneralShareFile SZC Shutdown: Progress Issues Urgent Security Directive

ShareFile SZC Shutdown: Progress Issues Urgent Security Directive

Crypto_Miner_Watch_Pat 7/10/2026 USER

Has anyone else caught the advisory from Progress Software? They are explicitly telling ShareFile customers to shut down their Windows servers running Storage Zone Controllers (SZC) immediately due to a 'credible external security threat.'

Given the severity of the instruction—full shutdown rather than just patching—I suspect we are looking at a zero-day RCE or authentication bypass similar to what we saw with MOVEit, though no CVE has been published yet. If you have these exposed, treat them as compromised until proven otherwise.

If you can't take the server offline immediately, block internet access to the SZC ports at the firewall.

Here is a quick PowerShell snippet to help identify if the service is running across your environment if you need to audit quickly:

Get-Service -ComputerName (Get-Content servers.txt) -Name "Citrix*" | Where-Object {$_.DisplayName -like "*StorageZone*"} | Select-Object MachineName, Name, Status

For SIEM detection, we are currently hunting for suspicious IIS activity, specifically deserialization patterns or unusual file extensions in the StorageCenter directory.

W3CIISLog
| where csUriStem contains "StorageController"
| where csUriQuery has "ViewState" or csUriQuery has ".dll"
| project TimeGenerated, sSiteName, cIP, csUriQuery, scStatus

How is everyone handling the downtime? Are you restoring from backups or just waiting for the green light from Progress?

FO
Forensics_Dana7/10/2026

We pulled the plug on our SZC servers about an hour ago. It's causing a headache for our remote teams who need large file transfers, but 'abundance of caution' usually implies active exploitation in the wild. I'm currently dumping memory from the servers before we patch/reboot to look for web shells. Check your C:\inetpub\wwwroot\Citrix\StorageCenter\ folders for any recently modified .aspx files.

MF
MFA_Champion_Sasha7/10/2026

We aren't using the on-prem SZC, we are fully cloud-hosted, so we are waiting for Progress to handle the backend. However, for those on-prem, if you can't shut down, ensure you have strict egress filtering. The SZC only needs to talk to Citrix cloud IPs. Locking it down to just those subnets might save you if you can't kill the box immediately.

RA
RansomWatch_Steve7/10/2026

This feels like MOVEit all over again. We're seeing similar anomaly detection triggers in our environment—specifically w3wp.exe spawning cmd.exe. If you have EDR, look for that parent-child chain immediately. If you don't have EDR on those legacy IIS boxes, you're flying blind right now. I'd recommend isolating the VLAN.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created7/10/2026
Last Active7/10/2026
Replies3
Views42