CYBER DESK · HONG KONG · WEEKLY

Progress Software's Silent ShareFile Shutdown

Progress Software's unattributed ShareFile shutdown order reproduces the exact disclosure shape that preceded the 2023 MOVEit mass-breach, and the exposed attack surface was already public three months before the vendor said a word.
KT

The Shutdown Order

On the night of July 9, Progress Software emailed every customer running ShareFile Storage Zone Controller, the on-premises server software companies use to run their own private file-sharing portal instead of a cloud service. The instruction: physically power down those servers. The email named no CVE, the reference number security teams use to look up a specific known vulnerability. It described no technique. It attributed the threat to nobody. That matters, because without those details a customer has no way to judge how urgent the threat actually is, or what it's even defending against. The order became public only because a customer posted it to Reddit's r/sysadmin, not exactly the emergency-advisory channel a major vendor would choose if it wanted this handled quietly and credibly. By 12:12 p.m. Eastern on July 10, Progress's own status page listed Storage Zone Controller as 'not operational,' which at least confirmed the shutdown was real and not one customer's overreaction. The company says it has no indication of unauthorized access. But as of July 12, Progress still has not said whether this is a zero-day, a flaw being exploited before any fix exists, a known flaw under active exploitation, or something else entirely. No CVE number. No named actor.

The Surface Was Mapped

The shutdown itself is not the part worth dwelling on. What came before it is. Researchers had already flagged a critical vulnerability in this exact product back in April 2026. Using Shodan, a search engine that indexes internet-connected devices and lets anyone see which servers are exposed to the open internet, they scanned for Storage Zone Controller instances and found roughly 30,000 of them reachable. About 700 were still unpatched. So for three months, those 700 exposed, vulnerable servers sat there in plain view. Anyone willing to look already had a target list long before Progress sent its shutdown email. Separately, Progress disclosed a MOVEit Automation authentication bypass, tracked as CVE-2026-4670, on May 4. watchTowr Labs had published both vulnerabilities on its own disclosure page back in April 2026, three months before Progress's July 9 shutdown email, which named neither.

The HKMA's June circular told Authorized Institutions to review third-party resilience before an incident, not after one. The SFC logged 15,877 cyber incidents in 2025, up 27 percent. Progress has issued no CVE for the July 9 shutdown and named no actor behind what it called a 'credible external security threat.' Until it does, the ShareFile customers who complied are sitting offline, defending against a threat with no number and no name.

PREVIOUS COLUMNS, CYBER INTEL DESK
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.