PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10699 Progress CVE debrief

A high-severity vulnerability was found in Progress MOVEit Transfer, affecting versions from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, and from 2026.0.0 before 2026.0.1. This issue is related to a missing release of memory after its effective lifetime, which could potentially lead to security issues. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. It affects the Custom Reports modules of MOVEit Transfer.

Vendor
Progress
Product
MOVEit Transfer
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Organizations using Progress MOVEit Transfer versions from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, and from 2026.0.0 before 2026.0.1 should apply patches or mitigations. This includes operators, platform administrators, vulnerability management teams, and security teams responsible for these systems.

Technical summary

The vulnerability, CVE-2026-10699, has a CVSS score of 7.5 and is classified as HIGH severity. It affects the Custom Reports modules of MOVEit Transfer. The issue is caused by a missing release of memory after its effective lifetime, which could potentially lead to security issues. The vulnerability affects Progress MOVEit Transfer versions from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, and from 2026.0.0 before 2026.0.1.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, as it has a high CVSS score and affects multiple versions of MOVEit Transfer.

Recommended defensive actions

  • Apply patches or updates provided by Progress for MOVEit Transfer to the latest version.
  • Implement compensating controls, such as monitoring and exception tracking.
  • Conduct inventory checks to identify affected systems.
  • Review and update security policies and procedures.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.

Evidence notes

The CVE record was published on 2026-07-08T15:16:25.173Z and last modified on 2026-07-10T14:25:58.720Z. The NVD entry is currently Analyzed. The vulnerability affects Progress MOVEit Transfer versions from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, and from 2026.0.0 before 2026.0.1. Evidence is based on CVE and NVD information, which may have limitations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T15:16:25.173Z and has not been modified since then. The NVD entry is currently Analyzed.