ctipilot.ch

Progress MOVEit Transfer SFTP-service memory-leak pre-auth denial of service (CVSS 7.5; CERT-FR AVI-0856)

cve · CVE-2026-10699

Coverage timeline
1
first 2026-07-11 → last 2026-07-11
Peak priority
notable
1 notable
Sources cited
4
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
2
see Related entities below
ATT&CK techniques
3
pinned v19.1 · see below

Hunting pivots

ATT&CK techniques
Affected products
Progress MOVEit Transfer

ATT&CK techniques

3 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-11/moveit-transfer-certfr-cve-2026-10699-10698-11903 · ATT&CK page ↗

Execution TA0002

T1059.007Command and Scripting Interpreter: JavaScript×1

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.

Evidence: 2026-07-11/moveit-transfer-certfr-cve-2026-10699-10698-11903 · ATT&CK page ↗

Impact TA0040

T1499.004Endpoint Denial of Service: Application or System Exploitation×1

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.

Evidence: 2026-07-11/moveit-transfer-certfr-cve-2026-10699-10698-11903 · ATT&CK page ↗

Story timeline

  1. 2026-07-11Progress MOVEit Transfer: pre-auth SFTP DoS (CVE-2026-10699), admin table-scope bypass (CVE-2026-10698) and stored XSS (CVE-2026-11903), patched 2026.0.2
    trending-vulnerabilitiesCERT-FR flags three new MOVEit Transfer CVEs — a pre-auth SFTP memory-leak DoS is reachable on any exposed instance (no exploitation yet)

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • cve.threatint.eu3 (75%)
  • cert.ssi.gouv.fr1 (25%)

Related entities

Entries about Progress MOVEit Transfer SFTP-service memory-leak pre-auth denial of service (CVSS 7.5; CERT-FR AVI-0856) (1)

2026-07-11 · view entry permalink →

NOTABLECVE-2026-10699 +2NATOA2

Progress MOVEit Transfer: pre-auth SFTP DoS (CVE-2026-10699), admin table-scope bypass (CVE-2026-10698) and stored XSS (CVE-2026-11903), patched 2026.0.2

France's national CERT (CERT-FR/ANSSI) published advisory CERTFR-2026-AVI-0856 on 2026-07-10 for three newly-disclosed vulnerabilities in Progress MOVEit Transfer, a managed file-transfer product whose 2023 Cl0p mass-exploitation campaign against roughly 2,600 organisations makes any internet-facing MOVEit flaw worth prompt attention. The most exposure-relevant is CVE-2026-10699 (CVSS 3.1 7.5, Progress CNA record), a missing-release-of-memory flaw in the SFTP service: memory is not freed after its effective lifetime, letting an unauthenticated remote attacker exhaust memory and force a denial of service on any instance whose SFTP listener is reachable. CVE-2026-10698 (CVSS 7.2, Progress CNA record) is a query-logic flaw in the Custom Reports module that lets an attacker already holding admin-level privileges bypass a report's table-scope restrictions to read or manipulate data outside its intended scope, and CVE-2026-11903 (CVSS 8.0, Progress CNA record) is a stored cross-site-scripting flaw in the Ad Hoc module that a low-privileged authenticated user can plant to run script in another user's session. CERT-FR gives the fixed release as MOVEit Transfer 2026.0.2, with the 2025.0.8 and 2025.1.4 branch releases carrying the same fixes; no active exploitation or public proof-of-concept is reported for any of the three.

vulnerability11 Jul 13:05Zmulti-sourceOpen finding ↗