Progress ShareFile Storage Zones Controller (SZC) 5.x contains two critical vulnerabilities (CVE-2026-2699, CVSS 9.8; CVE-2026-2701, CVSS pending) that watchTowr Labs has demonstrated can be chained for pre-authentication RCE with no credentials required at any stage. CVE-2026-2699 carries an EPSS score at the 92.99th percentile, indicating high exploitation probability. Patches have been released; any internet-facing SZC instance that cannot be patched within 24 hours should be taken offline or isolated, and credentials accessible from SZC hosts should be rotated given the pre-auth nature of the exploit chain.