ctipilot.ch
← Back to the live brief
NOTABLECVE-2026-10699 +2NATOA2vulnerability

Progress MOVEit Transfer: pre-auth SFTP DoS (CVE-2026-10699), admin table-scope bypass (CVE-2026-10698) and stored XSS (CVE-2026-11903), patched 2026.0.2

discovered 2026-07-11 13:05 UTCrun 2026-07-11T1210Z-intel4 sourcesmulti-source

France's national CERT (CERT-FR/ANSSI) published advisory CERTFR-2026-AVI-0856 on 2026-07-10 for three newly-disclosed vulnerabilities in Progress MOVEit Transfer, a managed file-transfer product whose 2023 Cl0p mass-exploitation campaign against roughly 2,600 organisations makes any internet-facing MOVEit flaw worth prompt attention. The most exposure-relevant is CVE-2026-10699 (CVSS 3.1 7.5, Progress CNA record), a missing-release-of-memory flaw in the SFTP service: memory is not freed after its effective lifetime, letting an unauthenticated remote attacker exhaust memory and force a denial of service on any instance whose SFTP listener is reachable. CVE-2026-10698 (CVSS 7.2, Progress CNA record) is a query-logic flaw in the Custom Reports module that lets an attacker already holding admin-level privileges bypass a report's table-scope restrictions to read or manipulate data outside its intended scope, and CVE-2026-11903 (CVSS 8.0, Progress CNA record) is a stored cross-site-scripting flaw in the Ad Hoc module that a low-privileged authenticated user can plant to run script in another user's session. CERT-FR gives the fixed release as MOVEit Transfer 2026.0.2, with the 2025.0.8 and 2025.1.4 branch releases carrying the same fixes; no active exploitation or public proof-of-concept is reported for any of the three.

Defender actions

  • Inventory internet-facing MOVEit Transfer instances and upgrade to 2026.0.2 (or the 2025.1.4 / 2025.0.8 branch release), verifying the installed build number against the vendor's fixed-version list rather than the branch label.
  • Prioritise the SFTP-reachable instances first: CVE-2026-10699 is exploitable pre-authentication to cause denial of service, so any MOVEit whose SFTP port is exposed to untrusted networks is reachable without credentials.
  • Review Custom Reports admin-account scoping (CVE-2026-10698) and restrict Ad Hoc module use to trusted users pending patch (CVE-2026-11903).

ATT&CK mapping

3 techniques mapped from the cited reporting · MITRE ATT&CK v19.1

Initial Access TA0001
T1190Exploit Public-Facing Application

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

overlap matrix · ATT&CK page ↗

Execution TA0002
T1059.007Command and Scripting Interpreter: JavaScript

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.

overlap matrix · ATT&CK page ↗

Impact TA0040
T1499.004Endpoint Denial of Service: Application or System Exploitation

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent denial of service (DoS) condition.

overlap matrix · ATT&CK page ↗

PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.