Critical Flaws Identified in Progress Software ShareFile Service

Posted by Steve Alder

Two critical vulnerabilities have been identified in Progress Software’s ShareFile service. The flaws could potentially be chained by an unauthenticated remote attacker to make configuration changes and achieve remote code execution.

While there have been no known cases of the vulnerabilities being exploited in the wild to date, vulnerabilities in file sharing software are actively targeted by threat actors, so attempted exploitation is likely. In 2023, a zero-day vulnerability in Progress Software’s MOVEit file transfer software was mass exploited by the Clop ransomware group, which claimed hundreds of victims worldwide. To a lesser extent, vulnerabilities in Fortra’s GoAnywhere, Accellion FTA, and Cleo MFT were also mass exploited. Users are therefore encouraged to apply the security updates promptly to prevent exploitation.

The vulnerabilities affect ShareFile Storage Zones Controller v5 version deployments for customer-managed zones and include an authentication bypass flaw tracked as CVE-2026-2699 and a remote code execution flaw tracked as CVE-2026-2701.

According to Progress Software’s security alert, “These vulnerabilities allow an unauthenticated remote attacker to access on-prem storage zones controller’s configuration pages, potentially leading to changes in system configuration and remote code execution.” The authentication bypass flaw has a CVSS v3.1 base score of 9.8, and the RCE flaw has a CVSS base score of 9.1.

The vulnerabilities affect versions 0 through 5.12.3 and have been patched in version 5.12.4. The vulnerabilities do not exist in any v6 versions. Progress Software strongly recommends upgrading to a patched version of V6 as soon as possible to prevent exploitation. Any users of unsupported versions should ensure they upgrade to a supported and fixed version as soon as possible.

The vulnerabilities were identified by security researchers Sonny and Piotr Bazydlo of watchTowr, who reported them to Progress Software. According to Shadow Server, there are 334 Unique IPs associated with ShareFile in the United States.

The post Critical Flaws Identified in Progress Software ShareFile Service appeared first on The HIPAA Journal.

Telehealth Giant Him & Hers Announces Data Breach

Posted by Steve Alder

The direct-to-consumer telehealth company Him & Hers has experienced a data breach. In early February, an unauthorized third party gained access to its third-party customer service platform and acquired support tickets that contained personal information.

Suspicious activity was identified within the customer service platform on February 5, 2026. Him & Hers took steps to secure the platform and launched an investigation to determine the nature and scope of the activity. The investigation confirmed that an unauthorized third party had access to the platform from February 4, 2026, to February 7, 2026. During that time, certain tickets sent to the customer service team were subjected to unauthorized access or were acquired.

Him & Hers reviewed the affected tickets and, on March 3, 2026, confirmed that they contained personal information such as names and contact information; however, customers’ medical records were not involved, and there was no unauthorized access to communications with healthcare providers on the platform. Law enforcement was notified about the incident, and individual notification letters are being mailed to the affected individuals. While the data compromised in the incident is limited, Him & Hers is offering complimentary single-bureau credit monitoring and identity theft protection services for 12 months.

Him & Hers has conducted a review of its policies and procedures related to privacy and security and is taking steps to prevent similar incidents in the future. While the incident has been reported to regulators, including the California Attorney General, Him & Hers has not publicly disclosed the number of individuals affected by the incident.

The threat group behind the attack was not disclosed by Him & Hers; however, Bleeping Computer reports that the ShinyHunters threat group was behind the attack. The attack was part of a broader campaign targeting multiple companies. The threat group compromises Okta SSO accounts to gain access to data storage environments and steals data for extortion purposes. In this case, ShinyHunters used the Okta SSO account to access the Him & Hers Zendesk instance and stole millions of support tickets.

The post Telehealth Giant Him & Hers Announces Data Breach appeared first on The HIPAA Journal.