What Progress told customers to do
The instruction from Progress Software was blunt: turn the machine off. On July 10 2026, with wider coverage landing the next day, administrators running ShareFile with on-premises Storage Zone Controllers were told to physically shut those controllers down in response to a threat the vendor called credible.
There is no patch to apply, no named CVE to track, and no public detail about the threat itself. Progress also made clear that blocking access at the cloud layer is not enough. The exposure is the controller itself, the box sitting inside the customer's own network, and the only guidance on the table is to stop it running.
A 9.8-severity Progress vulnerability, CVE-2026-2699, is circulating in the wild, but Progress has not officially tied it to this warning. For an owner, the practical position is simple and uncomfortable: a trusted vendor is telling you the safest state for its product is powered off.
Why 'shut it down' beats 'wait for a patch'
Pulling the plug is the honest move when there is nothing to patch. A shutdown removes the attack surface immediately, while waiting invites the exact scenario the industry already lived through with MOVEit, the earlier Progress file-transfer product whose 2023 crisis drove one of the largest breach waves in Europe.
That precedent is why this warning carries weight beyond one product line. The same category of trusted file-transfer software, sitting at the seam where sensitive documents move between partners, has now produced two vendor-issued emergencies from the same supplier. When the fix is not available, the only lever an owner controls is availability, and switching the service off is the one action that cannot be outrun by an attacker.
The third-party-risk drill you owe yourself
The lesson here is not this one product. It is that your managed file-transfer and file-sharing vendors are concentrated third-party risk, and a sudden instruction to shut a production system down is a drill you should already be able to run under NIS2 and DORA.
Both regimes treat a supplier-triggered event like this as a reportable third-party incident, and the clock can start before any compromise is confirmed. That means the questions worth answering today are not about ShareFile alone: which vendors could send you the same message tomorrow, who has the authority to power a system off inside the hour, and how fast could you file the notification the law expects.
Run the exercise now, while it costs you nothing but an afternoon. The firms that will handle the next of these calmly are the ones that rehearsed the shutdown before a vendor forced it.
Read next: 430,000 Firewalls Became a Ransomware Supply Line | CitrixBleed Returns, Exploited Within a Day



