PatchSiren cyber security CVE debrief
CVE-2026-10698 Progress CVE debrief
CVE-2026-10698 is an Improper Neutralization of Special Elements in Data Query Logic vulnerability affecting Progress MOVEit Transfer versions from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, and from 2026.0.0 before 2026.0.1. This issue has a CVSS score of 7.2 and is classified as HIGH severity. The vulnerability exists in the Custom Reports modules of Progress MOVEit Transfer, allowing attackers to execute arbitrary code. Organizations using affected versions should prioritize patching to prevent potential attacks.
- Vendor
- Progress
- Product
- MOVEit Transfer
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Organizations using Progress MOVEit Transfer versions from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, and from 2026.0.0 before 2026.0.1 should prioritize patching this vulnerability to prevent potential attacks. Operators, platform administrators, vulnerability management teams, and security teams should review the affected scope and severity to determine the necessary actions.
Technical summary
The vulnerability exists in the Custom Reports modules of Progress MOVEit Transfer. An improper neutralization of special elements in data query logic allows attackers to execute arbitrary code. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The affected product context indicates that the vulnerability impacts Progress MOVEit Transfer versions from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, and from 2026.0.0 before 2026.0.1.
Defensive priority
High
Recommended defensive actions
- Apply patches from Progress for affected MOVEit Transfer versions.
- Restrict access to Custom Reports modules.
- Monitor for suspicious activity in MOVEit Transfer logs.
- Implement additional security controls around MOVEit Transfer installations.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-08T15:16:25.040Z and was last modified on 2026-07-10T14:33:24.257Z. The NVD entry is currently Analyzed. The vulnerability affects Progress MOVEit Transfer versions from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, and from 2026.0.0 before 2026.0.1. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity. The CVE record and NVD entry provide additional metadata.
Official resources
-
CVE-2026-10698 CVE record
CVE.org
-
CVE-2026-10698 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T15:16:25.040Z and has not been modified since then. The NVD entry is currently Analyzed.