PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10698 Progress CVE debrief

CVE-2026-10698 is an Improper Neutralization of Special Elements in Data Query Logic vulnerability affecting Progress MOVEit Transfer versions from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, and from 2026.0.0 before 2026.0.1. This issue has a CVSS score of 7.2 and is classified as HIGH severity. The vulnerability exists in the Custom Reports modules of Progress MOVEit Transfer, allowing attackers to execute arbitrary code. Organizations using affected versions should prioritize patching to prevent potential attacks.

Vendor
Progress
Product
MOVEit Transfer
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Organizations using Progress MOVEit Transfer versions from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, and from 2026.0.0 before 2026.0.1 should prioritize patching this vulnerability to prevent potential attacks. Operators, platform administrators, vulnerability management teams, and security teams should review the affected scope and severity to determine the necessary actions.

Technical summary

The vulnerability exists in the Custom Reports modules of Progress MOVEit Transfer. An improper neutralization of special elements in data query logic allows attackers to execute arbitrary code. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The affected product context indicates that the vulnerability impacts Progress MOVEit Transfer versions from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, and from 2026.0.0 before 2026.0.1.

Defensive priority

High

Recommended defensive actions

  • Apply patches from Progress for affected MOVEit Transfer versions.
  • Restrict access to Custom Reports modules.
  • Monitor for suspicious activity in MOVEit Transfer logs.
  • Implement additional security controls around MOVEit Transfer installations.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-08T15:16:25.040Z and was last modified on 2026-07-10T14:33:24.257Z. The NVD entry is currently Analyzed. The vulnerability affects Progress MOVEit Transfer versions from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, and from 2026.0.0 before 2026.0.1. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity. The CVE record and NVD entry provide additional metadata.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T15:16:25.040Z and has not been modified since then. The NVD entry is currently Analyzed.