Full Report
Progress security advisory (AV26-678)
Analysis Summary
# Vulnerability: Multiple Critical Flaws in MOVEit Transfer (June 2026 Advisory)
## CVE Details
- **CVE ID:** CVE-2026-10699, CVE-2026-10698, CVE-2026-11903
- **CVSS Score:** 9.8 (Critical) - *Based on typical scoring for MOVEit critical bulletins of this nature.*
- **CWE:** Not explicitly listed in summary, typically associated with Broken Access Control or Injection in this product line.
## Affected Systems
- **Products:** Progress MOVEit Transfer
- **Versions:**
- 2024.1.8 and prior
- 2025.0.0 through 2025.0.7
- 2025.1.0 through 2025.1.3
- 2026.0.0
- **Configurations:** All standard deployments of the affected versions.
## Vulnerability Description
While the specific technical mechanics (e.g., SQL injection vs. deserialization) are contained within the vendor's deep-dive bulletin, these vulnerabilities represent critical security flaws within the MOVEit Transfer web interface. These types of flaws generally allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database or execute arbitrary code, potentially leading to full system compromise and data exfiltration.
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild at the time of advisory, but categorized as "Critical" necessitating immediate action.
- **Complexity:** Low (Typically targeted via automated web requests)
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Potential for full data exfiltration)
- **Integrity:** High (Potential for unauthorized modification of data/system files)
- **Availability:** High (Potential for system takeover or service disruption)
## Remediation
### Patches
Progress recommends upgrading to the following patched versions (or newer):
- **MOVEit Transfer 2024.1.9**
- **MOVEit Transfer 2025.0.8**
- **MOVEit Transfer 2025.1.4**
- **MOVEit Transfer 2026.0.1**
### Workarounds
- **Restrict Access:** Limit access to the MOVEit Transfer web interface to trusted IP addresses via firewall rules or underlying network ACLs.
- **Audit Logs:** Monitor for unusual administrative actions or large file transfers.
## Detection
- **Indicators of Compromise:** Look for unexpected user creation in the MOVEit database, unauthorized active sessions, or unfamiliar files in the `\MOVEitTransfer\wwwroot` directory.
- **Detection methods and tools:** Utilize web application firewall (WAF) logs to identify suspicious payloads or high volumes of unauthorized requests to the application’s API or login endpoints.
## References
- **Vendor Advisory:** hxxps[://]community[.]progress[.]com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026
- **Progress Trust Center:** hxxps[://]www[.]progress[.]com/trust-center
- **Cyber Centre Bulletin:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/progress-security-advisory-av26-678