News Analysis 10 min read

MOVEit Transfer Fixes Put Reports And Ad Hoc Sharing Under Review

Progress patched three MOVEit Transfer flaws affecting custom reports, ad hoc transfers, and SFTP availability. Admins need exact version inventory and controlled upgrades.

By Protocol Report Editorial | Updated July 13, 2026
Technical illustration of a managed file-transfer gateway containing separate report, browser-content, and resource-pressure fault paths
Short Version

Progress disclosed three MOVEit Transfer vulnerabilities on July 8, 2026. The issues sit in different parts of the product: custom reports, the Ad Hoc module, and the SFTP service. The published fixed thresholds are 2025.0.8, 2025.1.4, and 2026.0.1. The Canadian Centre for Cyber Security also lists 2024.1.8 and earlier as affected, which means operators on that branch need a supported migration path rather than a local point fix.

This is a patching event, not a confirmed breach. The public CVE records showed no known exploitation when CISA added its initial assessment, and Progress has not described customer compromise in the material reviewed for this report. The operational case for prompt action comes from where MOVEit sits: it receives files from outside parties, holds sensitive transfer data, exposes administrative reporting, and often supports workflows that cannot simply be switched off.

Key Takeaways

  • check_circle Inventory the exact MOVEit Transfer release, hotfix level, exposed protocols, and enabled Custom Reports and Ad Hoc features.
  • check_circle Move each supported branch to at least 2025.0.8, 2025.1.4, or 2026.0.1, then confirm whether a later supported hotfix is the correct production target.
  • check_circle Treat AuditUser and administrator access as privileged access. Reducing role assignment helps, but it does not replace the vendor fix.
  • check_circle Review report execution, ad hoc package activity, authentication, and SFTP health for anomalies without assuming that an anomaly proves exploitation.
  • check_circle Plan the change around transfer queues, partner windows, backups, validation, and a tested rollback path.
  • check_circle Keep the facts narrow: three vulnerabilities are confirmed; public evidence of active exploitation or customer compromise is not.

What Progress Actually Fixed

The most consequential access-control issue is CVE-2026-10698. Progress describes it as improper neutralization in data query logic in the Custom Reports module. Its 2026.0.1 release notes are more operationally specific: an AuditUser could escalate privileges from Custom Reports. The vendor assigned a CVSS 3.1 score of 7.2. The vector requires high privileges, but it also rates the potential effect on confidentiality, integrity, and availability as high. That makes the affected role part of the security boundary, not a harmless reporting account.

CVE-2026-11903 is an input-neutralization flaw in the Ad Hoc module. The CVE describes cross-site scripting and requires a low-privileged attacker plus user interaction. Progress scored it 8.0, while NVD's independent analysis currently shows 5.4 because it models a changed security scope and lower impacts. That disagreement is a reason to read the vectors, not a reason to ignore the issue. The confirmed fact is that attacker-controlled content could cross into a browser-rendered context used for ad hoc transfer work.

CVE-2026-10699 is an availability flaw. Progress's release notes identify a memory leak in the MOVEit SFTP service, and the vendor CVSS vector describes a remote, unauthenticated, low-complexity path to denial of service. It does not claim file theft or code execution. For an organization that depends on scheduled partner exchanges, payroll feeds, claims, or other timed transfers, loss of the SFTP service can still have a material operational effect.

The Three Flaws Cross Different Trust Boundaries

Grouping the three CVEs under one bulletin is convenient for patching, but it can hide the different control failures. The report issue concerns authorization after login. The Ad Hoc issue concerns what the application renders in another user's browser. The SFTP issue concerns whether an unauthenticated network client can consume enough resources to disrupt service. A single firewall rule or role change cannot address all three paths.

The Custom Reports finding is a reminder that read-oriented roles can still carry dangerous execution surfaces. A report builder often accepts filters, field selections, joins, saved definitions, or other structured input. If the application fails to hold those queries inside the caller's intended scope, a role that sounds observational can reach data or actions outside its mandate. Operators should therefore inventory who has AuditUser access, where those users sign in from, and whether the role is assigned to shared or automation accounts.

The Ad Hoc module sits at a human boundary. Packages, messages, notifications, and browser views connect external senders with internal recipients. Output encoding and input handling are application responsibilities, but defenders can reduce exposure by limiting who can create ad hoc packages and by keeping administrative browsing separate from ordinary mail and web activity. Those controls lower opportunity; only patched software removes the documented flaw.

Version Arithmetic Is The First Control

The affected ranges published with the CVEs are MOVEit Transfer 2025.0.0 through 2025.0.7, 2025.1.0 through 2025.1.3, and 2026.0.0. The corresponding minimum fixed releases are 2025.0.8, 2025.1.4, and 2026.0.1. The Canadian Cyber Centre separately lists 2024.1.8 and prior. Teams should compare the running build to the branch-specific threshold, not compare only the marketing year or assume that every installation called 2026 is fixed.

Progress published 2026.0.2 after 2026.0.1. Its release notes say that 2026.0.2 fixes a database check error during the upgrade process, while the security fixes themselves are documented in 2026.0.1. That distinction matters for change planning. The CVE minimum answers whether the three flaws are fixed; the currently recommended hotfix may also include an upgrade reliability correction. The final target should come from the current vendor advisory, release notes, support status, and the organization's tested upgrade path.

Do not let a scanner's normalized version result become the only source of truth. Record the product edition, installed branch, hotfix, deployment type, and whether traffic terminates directly on MOVEit or passes through a proxy or managed service. Confirm the version from the application and the software inventory. If MOVEit Cloud is involved, use Progress's service communication rather than applying on-premises version logic to a vendor-managed environment.

Patch Without Breaking File Exchange

A managed file-transfer system is usually part of a chain, not an isolated web application. Upstream jobs create files, partners connect on a schedule, automation retrieves packages, and downstream systems mark delivery state. A maintenance window should identify transfers that can pause, transfers that need replay, and owners who can verify that a completed job produced the expected business result.

Progress's 2026 upgrade notes support direct upgrades from MOVEit Transfer 2021.1 and newer, but they also tell administrators to verify system requirements and follow the installation and upgrade guide for preparation, backup, and validation. That is the correct level of caution. Take configuration and data backups that match the deployment, confirm the backup can be reached during recovery, preserve the installer and license material, and write down the rollback decision before starting.

Validation should cover more than a successful service start. Test administrative login, an authorized custom report, an ad hoc package flow, SFTP authentication, upload and download, automation credentials, notification delivery, and the transfer audit trail. Watch memory and queue behavior under normal load. If a reverse proxy, web application firewall, antivirus scanner, data-loss prevention tool, or storage mount is in the path, include it in the acceptance test.

Review Evidence Without Inventing An Incident

There is no public basis in the reviewed sources to say that these three vulnerabilities were exploited in a particular environment. A useful review starts with the disclosure window and expands only when evidence warrants it. Look for unusual Custom Reports use by AuditUser accounts, report access outside normal working patterns, unexpected ad hoc package creation or viewing, repeated SFTP connection bursts, and memory or service restarts that lack an operational explanation.

Preserve relevant application, web, authentication, operating-system, proxy, and monitoring records before short retention windows expire. Correlate events by account, source address, session, and time. An isolated SFTP restart can be a capacity problem; a report run can be legitimate; a browser alert can come from unrelated content. The investigation should test competing explanations rather than relabel ordinary events as compromise.

If evidence points to unauthorized access, contain affected accounts and sessions, preserve forensic data, and follow the incident plan for credential rotation and partner notification. Rotate secrets because the evidence or policy calls for it, not because every MOVEit patch requires indiscriminate reset. Broad emergency changes can create new outages and destroy useful context if they are not coordinated.

What Remains Unknown

The public records define affected versions, weakness classes, scores, and fixes. They do not provide proof-of-concept detail, a list of exposed customers, or evidence that the three issues were combined. They also do not establish that a vulnerable server was compromised. Vulnerable, reachable, attempted, exploited, and breached are different states and should remain separate in tickets and executive reporting.

CISA's initial SSVC enrichment for all three CVEs recorded exploitation as none. That field can change as new evidence arrives, so defenders should monitor the vendor bulletin, CVE records, and relevant government advisories after patching. A clean review today is a time-bounded finding, not a permanent guarantee.

The durable lesson is narrower than the product name. File-transfer systems join untrusted partners, privileged reports, browser workflows, stored data, and time-sensitive automation. Their security review has to cover authorization, content rendering, resource limits, identity, and recovery together. This bulletin provides a concrete reason to test whether those owners and records are already connected.

Checklist

  • Record the running release, hotfix, deployment type, and support status.
  • Confirm exposure of SFTP, Custom Reports, and the Ad Hoc module.
  • Identify AuditUser, administrator, service, and shared accounts.
  • Back up configuration and data, and document the rollback trigger.
  • Upgrade to the vendor-approved fixed build for the active branch.
  • Test report scope, ad hoc transfers, SFTP, automation, and audit logs.
  • Review anomalies while keeping vulnerability and compromise separate.
  • Track subsequent Progress and government advisory updates.

Sources

Related Articles

Continue Reading

Technical editorial diagram showing a slash command passing through request verification, user and channel authorization, parsing, queueing, audit logging, and a deny path
Guide

Slash Commands Need Authorization Boundaries

Slack, Discord, Telegram, and internal chat bots make commands feel lightweight. If a command can export data, change access, or trigger infrastructure, it needs the same authorization discipline as an API endpoint.

Technical editorial diagram showing a guest invitation with sponsor, scoped work surfaces, expiration date, access review, and deactivation path
Guide

Guest Accounts Need Expiration Dates

Contractors, partners, clients, outside collaborators, and community helpers often need temporary access to chat, docs, repos, and tools. Without a sponsor, scope, review, and end date, guest access becomes quiet permanent access.