2026-07-11 · view entry permalink →
Progress MOVEit Transfer: pre-auth SFTP DoS (CVE-2026-10699), admin table-scope bypass (CVE-2026-10698) and stored XSS (CVE-2026-11903), patched 2026.0.2
France's national CERT (CERT-FR/ANSSI) published advisory CERTFR-2026-AVI-0856 on 2026-07-10 for three newly-disclosed vulnerabilities in Progress MOVEit Transfer, a managed file-transfer product whose 2023 Cl0p mass-exploitation campaign against roughly 2,600 organisations makes any internet-facing MOVEit flaw worth prompt attention. The most exposure-relevant is CVE-2026-10699 (CVSS 3.1 7.5, Progress CNA record), a missing-release-of-memory flaw in the SFTP service: memory is not freed after its effective lifetime, letting an unauthenticated remote attacker exhaust memory and force a denial of service on any instance whose SFTP listener is reachable. CVE-2026-10698 (CVSS 7.2, Progress CNA record) is a query-logic flaw in the Custom Reports module that lets an attacker already holding admin-level privileges bypass a report's table-scope restrictions to read or manipulate data outside its intended scope, and CVE-2026-11903 (CVSS 8.0, Progress CNA record) is a stored cross-site-scripting flaw in the Ad Hoc module that a low-privileged authenticated user can plant to run script in another user's session. CERT-FR gives the fixed release as MOVEit Transfer 2026.0.2, with the 2025.0.8 and 2025.1.4 branch releases carrying the same fixes; no active exploitation or public proof-of-concept is reported for any of the three.