Two critical vulnerabilities in Progress ShareFile Storage Zones Controller v5.x — CVE-2026-2699 (auth bypass, CWE-287) and CVE-2026-2701 (code injection, CWE-94) — chain together to provide unauthenticated pre-auth remote code execution against any exposed Storage Zones Controller endpoint, with no credentials required; a patch was released March 10, 2026. While not currently CISA KEV listed, the CVSS 9.8 chain and publicly available technical exploitation coverage from watchTowr Labs make this a high-priority patch target for organizations running on-premises ShareFile deployments. Apply the March 10 patch immediately, restrict Storage Zones Controller management interfaces to trusted IP ranges, and review IIS logs for unauthenticated requests to authenticated API paths returning HTTP 200.