Home / The Long Read / Research
Long Read

Progress tells ShareFile customers to pull the plug: an ICT supplier's threat becomes everyone's downtime

On 10 July 2026 Progress Software told ShareFile customers running Storage Zone Controllers to shut down the hosting Windows servers over a credible external threat. No patch, no CVE, and cloud access to affected accounts disabled. The pattern is concentration risk: one widely used file-sharing supplier is a single point of exposure, and its emergency is inherited by everyone downstream, including firms that only touch it through a vendor.

Progress tells ShareFile customers to pull the plug: an ICT supplier's threat becomes everyone's downtime
TL;DR

On 10 July 2026 Progress Software told ShareFile customers running Storage Zone Controllers to shut down the hosting Windows servers over a credible external threat. No patch, no CVE, and cloud access to affected accounts disabled. The pattern is concentration risk: one widely used file-sharing supplier is a single point of exposure, and its emergency is inherited by everyone downstream, including firms that only touch it through a vendor.

When one supplier tells thousands of customers to switch off a server, the supplier's problem has just become their problem. On 10 July 2026 Progress Software emailed ShareFile customers who run Storage Zone Controllers and told them to shut those servers down at once, citing a credible external security threat. Storage Zone Controllers are on-premises Windows servers that keep files in a customer's own storage while using ShareFile's cloud for logins and sharing. Every organisation that runs one had to choose between exposure and taking a file-sharing service offline. The lesson: a widely used ICT supplier is a single point of exposure, and its emergency is inherited by everyone downstream.

Progress ShareFile (July 2026): one supplier advisory, downtime across the customer base A widely used ICT file-sharing supplier is a single point of exposure for everyone downstream. The threat “credible external security threat” nature undisclosed; no CVE assigned ICT supplier Progress ShareFile Storage Zone Controllers Vendor instruction (10 July 2026): shut down the on-prem servers cloud access cut off no patch available at the advisory separate from the April 2026 CVEs Downstream customers Every org running a controller Suppliers who use it with you (fourth-party data flows) inherit both the risk and the downtime. No customer breach named. What is confirmed (10 July 2026): Progress issued a shutdown advisory. No CVE assigned; no confirmed compromise of accounts or data at that date. Third-party risk, in one line: A supplier used by many is a shared point of failure, so know which of your systems and vendors depend on it. Sources: BleepingComputer, The Hacker News (10–11 July 2026). Draft diagram for Breach Wire, Supplier Shield.

What happened

On 10 July 2026 Progress Software instructed ShareFile customers using Storage Zone Controllers to manually shut down the Windows servers hosting them, according to reporting by BleepingComputer and The Hacker News. Progress said disabling access through the ShareFile cloud was not enough to reduce the threat, and it also cut off cloud access for affected accounts while it investigated with internal and external experts. Progress has not said whether a software vulnerability is involved, whether any controller was compromised, or assigned a CVE identifier to the incident. It stated it had no indication of unauthorised access to ShareFile accounts or data as of that date. The company is the maker of MOVEit, the file-transfer product mass-exploited by the Clop group in 2023. The July advisory is separate from two critical ShareFile flaws disclosed by watchTowr Labs in April 2026 (CVE-2026-2699 and CVE-2026-2701, a chainable pre-authentication remote code execution), which Progress had already patched. Progress has not linked the current threat to those flaws.

Why it matters for third-party risk

The pattern is concentration risk. ShareFile is one supplier embedded in many organisations' file workflows, so a single advisory forces action across the whole customer base at once. The cost is not only the unknown threat; it is the guaranteed downtime of switching a service off with no patch to apply. There is a fourth-party edge too. A supplier may use ShareFile to exchange files with you, so its shutdown can interrupt data flows you depend on even if you do not run the product yourself. A reader who cannot answer, within hours, whether they or their vendors run this software is carrying a risk they cannot yet see.

What teams should take from it

Two takeaways. First, keep a current inventory of ICT suppliers and the products they operate, including file-transfer and file-sharing tools, so a vendor advisory becomes a targeted action rather than a scramble to find affected systems. Second, ask your key suppliers directly whether they use ShareFile Storage Zone Controllers to move data with you, and agree in advance how they will tell you when they take a shared system offline.

For teams mapping which suppliers could force this kind of decision, this is a prompt to see how continuous vendor monitoring works, so a supplier's emergency does not catch you unprepared.

FAQ

What did Progress actually tell customers to do?

Progress emailed ShareFile customers who run Storage Zone Controllers on 10 July 2026 and told them to shut down the hosting Windows servers manually. It said turning off cloud access alone was not enough, and it disabled access to affected accounts while investigating.

Is a specific vulnerability being exploited?

Progress has not confirmed one. As of its 10 July advisory it had not disclosed the nature of the threat, assigned a CVE, or said whether any controller was compromised. It reported no indication of unauthorised access to accounts or data at that point. Those details are unconfirmed.

We do not run ShareFile. Are we exposed?

Possibly, at one step removed. If a supplier uses ShareFile Storage Zone Controllers to exchange files with you, their shutdown can interrupt your data flows. Confirm which vendors rely on the product and how they will notify you of outages.

What to do next

Want this applied to your supplier ecosystem? See the platform in action and map your top vendor risks live in one walkthrough.

Read next

AdaptHealth breach reached patient data through a third-party contractor's stolen credentials

AdaptHealth breach reached patient data through a third-party contractor's stolen credentials

AdaptHealth told the SEC that attackers reached patient data through a third-party contractor's stolen credentials, obtained by social engineering. The number of affected individuals is not yet confirmed. For third-party risk teams, contractor and vendor accounts are part of the attack surface.

Read article
Deutsche Bank incident began at a third-party marketing platform, not the bank's network

Deutsche Bank incident began at a third-party marketing platform, not the bank's network

A cyber incident tied to Deutsche Bank started at a third-party marketing and incentive platform in Germany, not the bank's own network. The Unsafe ransomware group posted alleged employee records; Deutsche Bank says its systems were not affected and the scope is unconfirmed. For financial firms, the lesson is a DORA register one: an edge supplier that holds employee or partner data still belongs in scope.

Read article
Hemmersbach ransomware claim: why a breach at an IT services supplier reaches toward its clients

Hemmersbach ransomware claim: why a breach at an IT services supplier reaches toward its clients

A ransomware group has claimed a breach of Hemmersbach, a German IT services provider that works inside its clients' technology estates. Researchers say the exposed data includes credentials to the firm's own identity systems. Hemmersbach has not confirmed the attack and the scope is unverified. For third-party risk teams, the lesson is about vendor access: a supplier's stolen login can become a route toward the clients it serves.

Read article
Progress ShareFile shutdown order: the concentration risk in one ICT supplier | Breach Wire | Supplier Shield