Progress ShareFile Storage Zones Controller 5.x is affected by a two-CVE chain (CVE-2026-2699 and CVE-2026-2701, both CVSS 9.8) that enables pre-authentication remote code execution on the on-premises file transfer component, with CVE-2026-2699 at the 93rd EPSS percentile. ShareFile infrastructure has been targeted in prior ransomware and data theft campaigns, and the pre-auth nature of this chain makes unpatched internet-facing SZC instances high-priority targets. Organizations should isolate or take offline any internet-facing SZC 5.x instances immediately and apply the Progress-issued patch from the vendor portal.