Threat Report 184
This week, A well-known file-sharing tool has been taken offline after a mystery security threat, with no fix available yet.
Microsoft has issued another urgent SharePoint update, and this time, working attack code is already public.
A remote support tool used by IT helpdesks and managed service providers has critical flaws that could hand attackers the keys to every device it manages.
And in Scotland, an NHS trust is dealing with a reminder that not every risk comes from hackers; sometimes it is a simple mistake involving maternity patients' data.
Read on for what happened, why it matters, and what you can do about it.
A Well-Known File-Sharing Tool Ordered Offline After Mystery Security Threat
Progress Software, the company behind the ShareFile file-sharing service, has told customers to switch off a piece of software called the Storage Zone Controller, a server that many companies run themselves to control where their ShareFile documents are stored. Progress said it had learned of a "credible external security threat" and had already switched off access for some customer accounts as a precaution. It has not said what the threat actually is, who is behind it, or whether any data has been stolen. Unlike a normal security update, Progress is not telling customers to install a patch; it is telling them to unplug the affected servers completely, which suggests a fix may not be ready yet.
Storage Zone Controllers usually sit at the edge of a company's network, connected to the internet so staff can use them easily. That same position makes them visible to attackers scanning for weak points. Many UK businesses use ShareFile to share documents securely with clients, partners, and patients. Because Progress has ordered a shutdown rather than a patch, this looks like a serious, fast-moving problem. NHS suppliers and digital health organisations using ShareFile to exchange sensitive files should treat this as an active incident until Progress provides more details.
Recommendations
- Check whether your organization runs a ShareFile Storage Zone Controller and, if so, follow Progress's instructions to take it offline immediately.
- Do not wait for a patch before acting; treat the shutdown advice as urgent even without full details.
- Watch the Progress status page and trusted security news sources for updates on what caused the threat.
- Review recent file access logs on your Storage Zone Controller for anything unusual.
- If a third party manages your ShareFile setup, ask them directly whether they have shut down the affected servers.
- Log this as an open risk in your DSPT risk register until Progress confirms it is safe to resume normal service.
Public Attack Code Released for Another SharePoint Flaw
Microsoft has released a fix for a new flaw in SharePoint Server, tracked as CVE-2026-33112. A security researcher has already published proof-of-concept code showing how the flaw could be exploited, meaning people beyond professional criminal gangs can now try to use it. The flaw lets someone who already has an ordinary, logged-in account on a SharePoint server run their own code and effectively take it over. NHS England's cyber team rates further attacks as likely. This is a separate, newer flaw from the SharePoint issue exploited in recent weeks, showing just how much attention SharePoint is getting from attackers and researchers right now.
On-premises SharePoint servers, the version organisations run and manage themselves, rather than Microsoft's cloud-hosted SharePoint Online, are used across many NHS trusts and suppliers to store documents, policies, and records. With working attack code now public, the gap between "a flaw exists" and "someone actively uses it" gets much shorter. Any organisation running an unpatched on-premises SharePoint server risks losing control of that server, which attackers can then use as a launchpad into the wider network.
Recommendations
- Confirm whether your organisation runs on-premises SharePoint Server; SharePoint Online in Microsoft 365 is not affected.
- Apply Microsoft's security update for CVE-2026-33112 without delay.
- Review SharePoint account activity for any unexpected logins or actions from ordinary user accounts.
- Restrict SharePoint account permissions to only what each user genuinely needs.
- Treat this as urgent, even if you already patched an earlier SharePoint flaw, as this is a separate vulnerability.
- Record the patch date and version applied in your DSPT risk register.
Critical Flaws Found in Widely Used Remote Support Software
BeyondTrust, which makes Remote Support and Privileged Remote Access software, has released fixes for four security flaws. Two are rated critical, scoring 9.2 out of 10 for severity. These two flaws could let an attacker who has not logged in at all bypass the normal sign-in process and gain full access to a system, including accounts with the highest level of privilege. Tools like this are used by IT helpdesk staff and outside support companies to connect to and control other people's computers remotely. BeyondTrust has already patched its own cloud customers, but anyone running the software themselves needs to update it.
Remote support tools are often used by managed service providers and outside IT companies that look after the day-to-day technology for smaller organisations, including many digital health companies and NHS suppliers. If an attacker breaks into the support platform itself, they could potentially reach every computer or system it manages in one go, not just a single victim. This is exactly the kind of supply chain risk that DSPT assessments are designed to catch, and it is worth asking directly whether any of your IT or support providers use BeyondTrust.
Recommendations
- Check whether your organisation or any of your IT support providers use BeyondTrust Remote Support or Privileged Remote Access.
- Apply BeyondTrust's security advisory BT26-03 updates immediately if you run the software yourselves.
- Ask any managed service provider or outside IT support company to confirm in writing that they have patched their BeyondTrust systems.
- Review recent technician and administrator account activity for anything unexpected.
- Turn on multi-factor authentication for all remote support accounts if it is not already in place.
- Log supplier confirmation of patching in your DSPT supplier assurance records.
Scottish NHS Trust Investigates Maternity Patient Data Sent to Personal Email
NHS Forth Valley, the health board covering services between Edinburgh and Glasgow, has revealed that a staff member sent a spreadsheet containing details of around 150 women who had used its maternity services to their own personal email account. The Trust says most of the information could not be used to identify anyone, but some lines did relate to specific women who had accessed local maternity care. It has launched an internal investigation, contacted the women affected, and reported the matter to the UK Information Commissioner. There is no evidence yet that the data has been shared any further, and the staff member has said they have deleted it.
Not every risk to patient data comes from hackers. This incident is a reminder that ordinary human mistakes, like sending information to the wrong place, are one of the most common causes of data breaches in healthcare. Maternity data is especially sensitive, and incidents like this can affect patient trust just as much as a cyber-attack would. For NHS organisations and suppliers working towards DSPT compliance, this case shows why staff training and clear rules about where data can and cannot be sent matter just as much as technical security controls.
Recommendations
- Remind staff regularly that patient data spreadsheets and reports should never be sent to personal email accounts.
- Use technical controls, such as data loss prevention tools, to block attempts to send sensitive files to personal or unapproved email addresses.
- Review who has access to raw exports from clinical systems like maternity records, and limit this to those who genuinely need it.
- Make sure staff know how to report a data incident quickly and who to escalate it to.
- Test your incident response process for data-handling mistakes, not just cyber-attacks, so you know it works in practice.
- Keep clear records of any incident investigation and ICO notification for your DSPT evidence base.
Want Help Staying Ahead of Threats Like These?
Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services and find out how we support UK digital health organisations, healthtechs, and NHS suppliers with practical, hands-on cybersecurity assurance.