Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    66 vulnerabilities found for moveit_transfer by progress

    CVE-2026-8801 (GCVE-0-2026-8801)

    Vulnerability from nvd – Published: 2026-07-08 19:56 – Updated: 2026-07-09 13:36
    VLAI
    Title
    File Extension Restriction Bypass in MOVEit Transfer
    Summary
    Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules). This issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-46 - Path equivalence: 'filename ' (trailing space)
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.1.0 , < 2025.1.4 (semver)
    Affected: 0 , < 2025.0.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8801",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:35:50.871832Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:36:42.815Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "File Upload"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.1.4",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4.\u003c/p\u003e"
                }
              ],
              "value": "Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules).\n\nThis issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-46",
                  "description": "CWE-46 Path equivalence: \u0027filename \u0027 (trailing space)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:56:03.468Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "File Extension Restriction Bypass in MOVEit Transfer",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-8801",
        "datePublished": "2026-07-08T19:56:03.468Z",
        "dateReserved": "2026-05-18T02:43:00.228Z",
        "dateUpdated": "2026-07-09T13:36:42.815Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8800 (GCVE-0-2026-8800)

    Vulnerability from nvd – Published: 2026-07-08 19:53 – Updated: 2026-07-09 13:35
    VLAI
    Title
    Cross-Org External Token Metadata accessible to AuditUser role
    Summary
    Incorrect Authorization vulnerability in Progress MOVEit Transfer (Audit User module). This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.1.0 , < 2025.1.3 (semver)
    Affected: 0 , < 2025.0.7 (semver)
    Create a notification for this product.
    Credits
    Niv Levy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8800",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:35:12.446076Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:35:24.535Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Users"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.1.3",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Levy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Authorization vulnerability in Progress MOVEit Transfer (Audit User module).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Authorization vulnerability in Progress MOVEit Transfer (Audit User module).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:53:30.984Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Cross-Org External Token Metadata accessible to AuditUser role",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-8800",
        "datePublished": "2026-07-08T19:53:30.984Z",
        "dateReserved": "2026-05-18T02:42:58.378Z",
        "dateUpdated": "2026-07-09T13:35:24.535Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8651 (GCVE-0-2026-8651)

    Vulnerability from nvd – Published: 2026-07-08 19:50 – Updated: 2026-07-09 13:32
    VLAI
    Title
    IPv6 Loopback Spoof via Trusted Host Header Bypasses Origin Check in MOVEit Transfer
    Summary
    Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module). This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication bypass by spoofing
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.1.0 , < 2025.1.3 (semver)
    Affected: 0 , < 2025.0.7 (semver)
    Create a notification for this product.
    Credits
    Niv Levy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8651",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:32:11.324109Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:32:24.568Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "HTTPS"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.1.3",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Levy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
                }
              ],
              "value": "Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication bypass by spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:50:43.060Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IPv6 Loopback Spoof via Trusted Host Header Bypasses Origin Check in MOVEit Transfer",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-8651",
        "datePublished": "2026-07-08T19:50:43.060Z",
        "dateReserved": "2026-05-15T04:28:13.929Z",
        "dateUpdated": "2026-07-09T13:32:24.568Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8650 (GCVE-0-2026-8650)

    Vulnerability from nvd – Published: 2026-07-08 19:47 – Updated: 2026-07-09 13:31
    VLAI
    Title
    Authenticated Path Traversal allows MOVEit admins to view arbitrary system files
    Summary
    Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module). This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative path traversal
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.1.0 , < 2025.1.3 (semver)
    Affected: 0 , < 2025.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 19:45
    Credits
    Niv Levy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8650",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:31:47.057844Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:31:57.971Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Admin Settings"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.1.3",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Levy"
            }
          ],
          "datePublic": "2026-07-08T19:45:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
                }
              ],
              "value": "Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23 Relative path traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:47:25.636Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Authenticated Path Traversal allows MOVEit admins to view arbitrary system files",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-8650",
        "datePublished": "2026-07-08T19:47:25.636Z",
        "dateReserved": "2026-05-15T04:28:13.041Z",
        "dateUpdated": "2026-07-09T13:31:57.971Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8649 (GCVE-0-2026-8649)

    Vulnerability from nvd – Published: 2026-07-08 19:41 – Updated: 2026-07-09 13:29
    VLAI
    Title
    Institution scope bypass vulnerability in custom reports
    Summary
    Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules). This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.1.0 , < 2025.1.3 (semver)
    Affected: 0 , < 2025.0.7 (semver)
    Create a notification for this product.
    Credits
    Niv Levy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8649",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:28:38.467051Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:29:22.928Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Custom Reports"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.1.3",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Levy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-943",
                  "description": "CWE-943 Improper Neutralization of Special Elements in Data Query Logic",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:44:22.665Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Institution scope bypass vulnerability in custom reports",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-8649",
        "datePublished": "2026-07-08T19:41:40.969Z",
        "dateReserved": "2026-05-15T04:28:11.755Z",
        "dateUpdated": "2026-07-09T13:29:22.928Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11903 (GCVE-0-2026-11903)

    Vulnerability from nvd – Published: 2026-07-08 14:19 – Updated: 2026-07-09 03:55
    VLAI
    Title
    Stored XSS in MOVEit Transfer Ad Hoc module
    Summary
    Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Progress MOVEit Transfer (Ad Hoc module). This issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2026.0.0 , < 2026.0.1 (semver)
    Affected: 2025.1.0 , < 2025.1.4 (semver)
    Affected: 2025.0.0 , < 2025.0.8 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 14:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11903",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T03:55:41.919Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Ad Hoc"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2026.0.1",
                  "status": "affected",
                  "version": "2026.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.1.4",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.8",
                  "status": "affected",
                  "version": "2025.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-07-08T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) vulnerability in Progress MOVEit Transfer (Ad Hoc module).\u003cp\u003eThis issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.\u003c/p\u003e"
                }
              ],
              "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) vulnerability in Progress MOVEit Transfer (Ad Hoc module).\n\nThis issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T14:19:16.759Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stored XSS in MOVEit Transfer Ad Hoc module",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-11903",
        "datePublished": "2026-07-08T14:19:16.759Z",
        "dateReserved": "2026-06-10T15:50:46.983Z",
        "dateUpdated": "2026-07-09T03:55:41.919Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10699 (GCVE-0-2026-10699)

    Vulnerability from nvd – Published: 2026-07-08 14:18 – Updated: 2026-07-08 15:09
    VLAI
    Title
    Memory leak in SFTP service can result in a denial of service in MOVEit Transfer
    Summary
    Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules). This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-401 - Missing release of memory after effective lifetime
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.0.0 , < 2025.0.8 (semver)
    Affected: 2025.1.0 , < 2025.1.4 (semver)
    Affected: 2026.0.0 , < 2026.0.1 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 14:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10699",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T15:09:02.289312Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T15:09:09.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Custom Reports"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.0.8",
                  "status": "affected",
                  "version": "2025.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.1.4",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2026.0.1",
                  "status": "affected",
                  "version": "2026.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-07-08T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules).\u003cp\u003eThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.\u003c/p\u003e"
                }
              ],
              "value": "Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules).\n\nThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-401",
                  "description": "CWE-401 Missing release of memory after effective lifetime",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T14:18:00.255Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Memory leak in SFTP service can result in a denial of service in MOVEit Transfer",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-10699",
        "datePublished": "2026-07-08T14:18:00.255Z",
        "dateReserved": "2026-06-02T16:42:38.825Z",
        "dateUpdated": "2026-07-08T15:09:09.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10698 (GCVE-0-2026-10698)

    Vulnerability from nvd – Published: 2026-07-08 14:16 – Updated: 2026-07-09 03:55
    VLAI
    Title
    Table scope bypass vulnerability in custom reports
    Summary
    Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules). This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.0.0 , < 2025.0.8 (semver)
    Affected: 2025.1.0 , < 2025.1.4 (semver)
    Affected: 2026.0.0 , < 2026.0.1 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 14:00
    Credits
    Mateusz Mieczkowski
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10698",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T03:55:42.859Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Custom Reports"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.0.8",
                  "status": "affected",
                  "version": "2025.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.1.4",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2026.0.1",
                  "status": "affected",
                  "version": "2026.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mateusz Mieczkowski"
            }
          ],
          "datePublic": "2026-07-08T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\u003cp\u003eThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\n\nThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-943",
                  "description": "CWE-943 Improper Neutralization of Special Elements in Data Query Logic",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T14:16:25.696Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Table scope bypass vulnerability in custom reports",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-10698",
        "datePublished": "2026-07-08T14:16:25.696Z",
        "dateReserved": "2026-06-02T16:42:37.519Z",
        "dateUpdated": "2026-07-09T03:55:42.859Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11235 (GCVE-0-2025-11235)

    Vulnerability from nvd – Published: 2026-01-06 22:16 – Updated: 2026-01-07 16:25
    VLAI
    Title
    MOVEit Transfer REST API does not require current password in order to initiate the password change process
    Summary
    Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-620 - Unverified Password Change
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2023.1.0 , < 2023.1.3 (semver)
    Affected: 2023.0.0 , < 2023.0.8 (semver)
    Affected: 2022.1.0 , < 2022.1.11 (semver)
    Affected: 2022.0.0 , < 2022.0.10 (semver)
    Create a notification for this product.
    Credits
    Aden Yap Chuen Zhen, BAE SYSTEM Digital Intelligence
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11235",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-07T16:24:49.767769Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-07T16:25:41.732Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "REST API"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2023.1.3",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.0.8",
                  "status": "affected",
                  "version": "2023.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2022.1.11",
                  "status": "affected",
                  "version": "2022.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2022.0.10",
                  "status": "affected",
                  "version": "2022.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Aden Yap Chuen Zhen, BAE SYSTEM Digital Intelligence"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10.\u003c/p\u003e"
                }
              ],
              "value": "Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-620",
                  "description": "CWE-620 Unverified Password Change",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-06T22:16:48.036Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2023_1/page/Fixed-Issues-in-2023.1.3.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "MOVEit Transfer REST API does not require current password in order to initiate the password change process",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2025-11235",
        "datePublished": "2026-01-06T22:16:48.036Z",
        "dateReserved": "2025-10-01T19:09:58.385Z",
        "dateUpdated": "2026-01-07T16:25:41.732Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13147 (GCVE-0-2025-13147)

    Vulnerability from nvd – Published: 2025-11-19 20:45 – Updated: 2025-11-19 20:50
    VLAI
    Title
    External Service Interaction (DNS)
    Summary
    Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 0 , < 2024.1.8 (semver)
    Affected: 2025.0.0 , < 2025.0.4 (semver)
    Create a notification for this product.
    Credits
    Early Warning Services Michael McCambridge Brian Tigges Jason Scribner Alex Achs
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13147",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-19T20:49:54.892323Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-19T20:50:10.151Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2024.1.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.4",
                  "status": "affected",
                  "version": "2025.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Early Warning Services"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael McCambridge"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Brian Tigges"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Jason Scribner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Alex Achs"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.\u003cp\u003eThis issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.\u003c/p\u003e"
                }
              ],
              "value": "Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-19T20:45:48.418Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2024/page/Fixed-Issues-in-2024.1.8.html"
            },
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2025/page/Fixed-Issues-in-2025.0.4.html"
            },
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2025_1/page/Fixed-Issues-in-2025.1.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "External Service Interaction (DNS)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2025-13147",
        "datePublished": "2025-11-19T20:45:48.418Z",
        "dateReserved": "2025-11-13T20:06:29.891Z",
        "dateUpdated": "2025-11-19T20:50:10.151Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2324 (GCVE-0-2025-2324)

    Vulnerability from nvd – Published: 2025-03-19 15:23 – Updated: 2025-03-19 20:17
    VLAI
    Title
    A MOVEit Transfer user configured as a Shared Account can gain unintended List permissions on a folder
    Summary
    Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2023.1.0 , < 2023.1.12 (custom)
    Affected: 2024.0.0 , < 2024.0.8 (custom)
    Affected: 2024.1.0 , < 2024.1.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2324",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-19T20:16:53.538862Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-19T20:17:04.235Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "SFTP"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2023.1.12",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2024.0.8",
                  "status": "affected",
                  "version": "2024.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2024.1.2",
                  "status": "affected",
                  "version": "2024.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-19T15:23:03.486Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-CVE-2025-2324-March-18-2025"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "A MOVEit Transfer user configured as a Shared Account can gain unintended List permissions on a folder",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2025-2324",
        "datePublished": "2025-03-19T15:23:03.486Z",
        "dateReserved": "2025-03-14T17:30:06.106Z",
        "dateUpdated": "2025-03-19T20:17:04.235Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6576 (GCVE-0-2024-6576)

    Vulnerability from nvd – Published: 2024-07-29 13:46 – Updated: 2024-08-01 21:41
    VLAI
    Title
    MOVEit Transfer Privilege Escalation Vulnerability
    Summary
    Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2023.0.0 , < 2023.0.12 (semver)
    Affected: 2023.1.0 , < 2023.1.7 (semver)
    Affected: 2024.0.0 , < 2024.0.3 (semver)
    Create a notification for this product.
    progress moveit_transfer Affected: 2023.0.0 , < 2023.0.12 (semver)
    Affected: 2023.1.0 , < 2023.1.7 (semver)
    Affected: 2024.0.0 , < 2024.0.3 (semver)
        cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Discovered Internally
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "moveit_transfer",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2023.0.12",
                    "status": "affected",
                    "version": "2023.0.0",
                    "versionType": "semver"
                  },
                  {
                    "lessThan": "2023.1.7",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "semver"
                  },
                  {
                    "lessThan": "2024.0.3",
                    "status": "affected",
                    "version": "2024.0.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6576",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-29T15:51:24.094046Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-29T16:07:10.830Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:03.876Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.progress.com/moveit"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "SFTP"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2023.0.12",
                  "status": "affected",
                  "version": "2023.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.1.7",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2024.0.3",
                  "status": "affected",
                  "version": "2024.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Discovered Internally"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.\u003c/p\u003e"
                }
              ],
              "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-29T13:46:32.409Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/moveit"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "MOVEit Transfer Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-6576",
        "datePublished": "2024-07-29T13:46:32.409Z",
        "dateReserved": "2024-07-08T17:38:23.180Z",
        "dateUpdated": "2024-08-01T21:41:03.876Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-5806 (GCVE-0-2024-5806)

    Vulnerability from nvd – Published: 2024-06-25 15:04 – Updated: 2024-08-01 21:25
    VLAI Shadowserver KEVIntel
    Title
    MOVEit Transfer Authentication Bypass Vulnerability
    Summary
    Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2023.0.0 , < 2023.0.11 (semver)
    Affected: 2023.1.0 , < 2023.1.6 (semver)
    Affected: 2024.0.0 , < 2024.0.2 (semver)
    Create a notification for this product.
    progress moveit_transfer Affected: 2023.0.0 , < 2023.0.11 (custom)
        cpe:2.3:a:progress:moveit_transfer:2023.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    progress moveit_transfer Affected: 2023.1.0 , < 2023.1.6 (custom)
        cpe:2.3:a:progress:moveit_transfer:2023.1.0:*:*:*:*:*:*:*
    Create a notification for this product.
    progress moveit_transfer Affected: 2024.0.0 , < 2024.0.2 (custom)
        cpe:2.3:a:progress:moveit_transfer:2024.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:moveit_transfer:2023.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "moveit_transfer",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2023.0.11",
                    "status": "affected",
                    "version": "2023.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:progress:moveit_transfer:2023.1.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "moveit_transfer",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2023.1.6",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:progress:moveit_transfer:2024.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "moveit_transfer",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.2",
                    "status": "affected",
                    "version": "2024.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5806",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-27T03:55:23.614488Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-27T13:22:54.244Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:25:02.659Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.progress.com/moveit"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "SFTP"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2023.0.11",
                  "status": "affected",
                  "version": "2023.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.1.6",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2024.0.2",
                  "status": "affected",
                  "version": "2024.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-25T23:23:46.318Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/moveit"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "MOVEit Transfer Authentication Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-5806",
        "datePublished": "2024-06-25T15:04:37.342Z",
        "dateReserved": "2024-06-10T16:42:56.944Z",
        "dateUpdated": "2024-08-01T21:25:02.659Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-2291 (GCVE-0-2024-2291)

    Vulnerability from nvd – Published: 2024-03-20 14:46 – Updated: 2024-08-01 19:11
    VLAI
    Title
    MOVEit Transfer Logging Bypass Vulnerability
    Summary
    In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.  An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software MOVEit Transfer Affected: 2022.0.0 (14.0.0) , < 2022.0.11 (14.0.11) (semver)
    Affected: 2022.1.0 (14.1.0) , < 2022.1.12 (14.1.12) (semver)
    Affected: 2023.0.0 (15.0.0) , < 2023.0.9 (15.0.9) (semver)
    Affected: 2023.1.0 (15.1.0) , < 2023.1.4 (15.1.4) (semver)
    Create a notification for this product.
    Credits
    HackerOne: interl0per
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2291",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-20T20:09:08.372929Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:30:49.129Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:11:53.265Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.progress.com/moveit"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "MOVEit Transfer",
              "vendor": "Progress Software",
              "versions": [
                {
                  "lessThan": "2022.0.11 (14.0.11)",
                  "status": "affected",
                  "version": "2022.0.0 (14.0.0)",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2022.1.12 (14.1.12)",
                  "status": "affected",
                  "version": "2022.1.0 (14.1.0)",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.0.9 (15.0.9)",
                  "status": "affected",
                  "version": "2023.0.0 (15.0.0)",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.1.4 (15.1.4)",
                  "status": "affected",
                  "version": "2023.1.0 (15.1.0)",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "HackerOne: interl0per"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u0026nbsp; An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.\u003c/span\u003e"
                }
              ],
              "value": "\nIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u00a0 An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-268",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-268 Audit Log Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-778",
                  "description": "CWE-778: Insufficient Logging",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-20T14:46:59.040Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/moveit"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "MOVEit Transfer Logging Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-2291",
        "datePublished": "2024-03-20T14:46:59.040Z",
        "dateReserved": "2024-03-07T17:27:18.819Z",
        "dateUpdated": "2024-08-01T19:11:53.265Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-0396 (GCVE-0-2024-0396)

    Vulnerability from nvd – Published: 2024-01-17 15:56 – Updated: 2024-11-13 19:52
    VLAI
    Title
    Missing Server-Side Input Validation in HTTP Parameter
    Summary
    In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software Corporation MOVEit Transfer Affected: 2022.0.0 (14.0.0) , < 2022.0.10 (14.0.10) (semver)
    Affected: 2022.1.0 (14.1.0) , < 2022.1.11 (14.1.11) (semver)
    Affected: 2023.0.0 (15.0.0) , < 2023.0.8 (15.0.8) (semver)
    Affected: 2023.1.0 (15.1.0) , < 2023.1.3 (15.1.3) (semver)
    Create a notification for this product.
    Credits
    HackerOne: p-v-p
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:04:49.919Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.progress.com/moveit"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-January-2024"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-0396",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-23T20:58:50.772488Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T19:52:11.923Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "MOVEit Transfer",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2022.0.10 (14.0.10)",
                  "status": "affected",
                  "version": "2022.0.0 (14.0.0)",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2022.1.11 (14.1.11)",
                  "status": "affected",
                  "version": "2022.1.0 (14.1.0)",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.0.8 (15.0.8)",
                  "status": "affected",
                  "version": "2023.0.0 (15.0.0)",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.1.3 (15.1.3)",
                  "status": "affected",
                  "version": "2023.1.0 (15.1.0)",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "HackerOne: p-v-p"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\nIn Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered.  An authenticated user can manipulate a parameter in an HTTPS transaction.  The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.\n\n"
                }
              ],
              "value": "\nIn Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered.  An authenticated user can manipulate a parameter in an HTTPS transaction.  The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-113",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-113 API Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-17T15:58:24.651Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/moveit"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-January-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Server-Side Input Validation in HTTP Parameter",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-0396",
        "datePublished": "2024-01-17T15:56:41.390Z",
        "dateReserved": "2024-01-10T13:12:29.565Z",
        "dateUpdated": "2024-11-13T19:52:11.923Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-8801 (GCVE-0-2026-8801)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:56 – Updated: 2026-07-09 13:36
    VLAI
    Title
    File Extension Restriction Bypass in MOVEit Transfer
    Summary
    Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules). This issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-46 - Path equivalence: 'filename ' (trailing space)
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.1.0 , < 2025.1.4 (semver)
    Affected: 0 , < 2025.0.8 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8801",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:35:50.871832Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:36:42.815Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "File Upload"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.1.4",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4.\u003c/p\u003e"
                }
              ],
              "value": "Path equivalence: vulnerability in Progress MOVEit Transfer (File Upload modules).\n\nThis issue affects MOVEit Transfer: before 2025.0.8, from 2025.1.0 before 2025.1.4."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-46",
                  "description": "CWE-46 Path equivalence: \u0027filename \u0027 (trailing space)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:56:03.468Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "File Extension Restriction Bypass in MOVEit Transfer",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-8801",
        "datePublished": "2026-07-08T19:56:03.468Z",
        "dateReserved": "2026-05-18T02:43:00.228Z",
        "dateUpdated": "2026-07-09T13:36:42.815Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8800 (GCVE-0-2026-8800)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:53 – Updated: 2026-07-09 13:35
    VLAI
    Title
    Cross-Org External Token Metadata accessible to AuditUser role
    Summary
    Incorrect Authorization vulnerability in Progress MOVEit Transfer (Audit User module). This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-863 - Incorrect Authorization
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.1.0 , < 2025.1.3 (semver)
    Affected: 0 , < 2025.0.7 (semver)
    Create a notification for this product.
    Credits
    Niv Levy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8800",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:35:12.446076Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:35:24.535Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Users"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.1.3",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Levy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Incorrect Authorization vulnerability in Progress MOVEit Transfer (Audit User module).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
                }
              ],
              "value": "Incorrect Authorization vulnerability in Progress MOVEit Transfer (Audit User module).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:53:30.984Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Cross-Org External Token Metadata accessible to AuditUser role",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-8800",
        "datePublished": "2026-07-08T19:53:30.984Z",
        "dateReserved": "2026-05-18T02:42:58.378Z",
        "dateUpdated": "2026-07-09T13:35:24.535Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8651 (GCVE-0-2026-8651)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:50 – Updated: 2026-07-09 13:32
    VLAI
    Title
    IPv6 Loopback Spoof via Trusted Host Header Bypasses Origin Check in MOVEit Transfer
    Summary
    Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module). This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication bypass by spoofing
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.1.0 , < 2025.1.3 (semver)
    Affected: 0 , < 2025.0.7 (semver)
    Create a notification for this product.
    Credits
    Niv Levy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8651",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:32:11.324109Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:32:24.568Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "HTTPS"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.1.3",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Levy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
                }
              ],
              "value": "Limited authentication bypass by spoofing vulnerability in Progress MOVEit Transfer (HTTPS module).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290 Authentication bypass by spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:50:43.060Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "IPv6 Loopback Spoof via Trusted Host Header Bypasses Origin Check in MOVEit Transfer",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-8651",
        "datePublished": "2026-07-08T19:50:43.060Z",
        "dateReserved": "2026-05-15T04:28:13.929Z",
        "dateUpdated": "2026-07-09T13:32:24.568Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8650 (GCVE-0-2026-8650)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:47 – Updated: 2026-07-09 13:31
    VLAI
    Title
    Authenticated Path Traversal allows MOVEit admins to view arbitrary system files
    Summary
    Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module). This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-23 - Relative path traversal
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.1.0 , < 2025.1.3 (semver)
    Affected: 0 , < 2025.0.7 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 19:45
    Credits
    Niv Levy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8650",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:31:47.057844Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:31:57.971Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Admin Settings"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.1.3",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Levy"
            }
          ],
          "datePublic": "2026-07-08T19:45:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
                }
              ],
              "value": "Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-23",
                  "description": "CWE-23 Relative path traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:47:25.636Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Authenticated Path Traversal allows MOVEit admins to view arbitrary system files",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-8650",
        "datePublished": "2026-07-08T19:47:25.636Z",
        "dateReserved": "2026-05-15T04:28:13.041Z",
        "dateUpdated": "2026-07-09T13:31:57.971Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8649 (GCVE-0-2026-8649)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:41 – Updated: 2026-07-09 13:29
    VLAI
    Title
    Institution scope bypass vulnerability in custom reports
    Summary
    Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules). This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.1.0 , < 2025.1.3 (semver)
    Affected: 0 , < 2025.0.7 (semver)
    Create a notification for this product.
    Credits
    Niv Levy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8649",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:28:38.467051Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:29:22.928Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Custom Reports"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.1.3",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Levy"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\u003cp\u003eThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\n\nThis issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-943",
                  "description": "CWE-943 Improper Neutralization of Special Elements in Data Query Logic",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:44:22.665Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2026/page/Fixed-Issues-in-2026.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Institution scope bypass vulnerability in custom reports",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-8649",
        "datePublished": "2026-07-08T19:41:40.969Z",
        "dateReserved": "2026-05-15T04:28:11.755Z",
        "dateUpdated": "2026-07-09T13:29:22.928Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11903 (GCVE-0-2026-11903)

    Vulnerability from cvelistv5 – Published: 2026-07-08 14:19 – Updated: 2026-07-09 03:55
    VLAI
    Title
    Stored XSS in MOVEit Transfer Ad Hoc module
    Summary
    Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Progress MOVEit Transfer (Ad Hoc module). This issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper neutralization of input during web page generation ('cross-site scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2026.0.0 , < 2026.0.1 (semver)
    Affected: 2025.1.0 , < 2025.1.4 (semver)
    Affected: 2025.0.0 , < 2025.0.8 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 14:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11903",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T03:55:41.919Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Ad Hoc"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2026.0.1",
                  "status": "affected",
                  "version": "2026.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.1.4",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.8",
                  "status": "affected",
                  "version": "2025.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-07-08T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) vulnerability in Progress MOVEit Transfer (Ad Hoc module).\u003cp\u003eThis issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8.\u003c/p\u003e"
                }
              ],
              "value": "Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027) vulnerability in Progress MOVEit Transfer (Ad Hoc module).\n\nThis issue affects MOVEit Transfer: from 2026.0.0 before 2026.0.1, from 2025.1.0 before 2025.1.4, from 2025.0.0 before 2025.0.8."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper neutralization of input during web page generation (\u0027cross-site scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T14:19:16.759Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Stored XSS in MOVEit Transfer Ad Hoc module",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-11903",
        "datePublished": "2026-07-08T14:19:16.759Z",
        "dateReserved": "2026-06-10T15:50:46.983Z",
        "dateUpdated": "2026-07-09T03:55:41.919Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10699 (GCVE-0-2026-10699)

    Vulnerability from cvelistv5 – Published: 2026-07-08 14:18 – Updated: 2026-07-08 15:09
    VLAI
    Title
    Memory leak in SFTP service can result in a denial of service in MOVEit Transfer
    Summary
    Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules). This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-401 - Missing release of memory after effective lifetime
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.0.0 , < 2025.0.8 (semver)
    Affected: 2025.1.0 , < 2025.1.4 (semver)
    Affected: 2026.0.0 , < 2026.0.1 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 14:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10699",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T15:09:02.289312Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T15:09:09.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Custom Reports"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.0.8",
                  "status": "affected",
                  "version": "2025.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.1.4",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2026.0.1",
                  "status": "affected",
                  "version": "2026.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2026-07-08T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules).\u003cp\u003eThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.\u003c/p\u003e"
                }
              ],
              "value": "Missing release of memory after effective lifetime vulnerability in Progress MOVEit Transfer (Custom Reports modules).\n\nThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-401",
                  "description": "CWE-401 Missing release of memory after effective lifetime",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T14:18:00.255Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Memory leak in SFTP service can result in a denial of service in MOVEit Transfer",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-10699",
        "datePublished": "2026-07-08T14:18:00.255Z",
        "dateReserved": "2026-06-02T16:42:38.825Z",
        "dateUpdated": "2026-07-08T15:09:09.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10698 (GCVE-0-2026-10698)

    Vulnerability from cvelistv5 – Published: 2026-07-08 14:16 – Updated: 2026-07-09 03:55
    VLAI
    Title
    Table scope bypass vulnerability in custom reports
    Summary
    Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules). This issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2025.0.0 , < 2025.0.8 (semver)
    Affected: 2025.1.0 , < 2025.1.4 (semver)
    Affected: 2026.0.0 , < 2026.0.1 (semver)
    Create a notification for this product.
    Date Public
    2026-07-08 14:00
    Credits
    Mateusz Mieczkowski
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10698",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T03:55:42.859Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "Custom Reports"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2025.0.8",
                  "status": "affected",
                  "version": "2025.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.1.4",
                  "status": "affected",
                  "version": "2025.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2026.0.1",
                  "status": "affected",
                  "version": "2026.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mateusz Mieczkowski"
            }
          ],
          "datePublic": "2026-07-08T14:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\u003cp\u003eThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1.\u003c/p\u003e"
                }
              ],
              "value": "Improper Neutralization of Special Elements in Data Query Logic vulnerability in Progress MOVEit Transfer (Custom Reports modules).\n\nThis issue affects MOVEit Transfer: from 2025.0.0 before 2025.0.8, from 2025.1.0 before 2025.1.4, from 2026.0.0 before 2026.0.1."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-943",
                  "description": "CWE-943 Improper Neutralization of Special Elements in Data Query Logic",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T14:16:25.696Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Critical-Security-Bulletin-June-2026"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Table scope bypass vulnerability in custom reports",
          "x_generator": {
            "engine": "Vulnogram 1.0.2"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2026-10698",
        "datePublished": "2026-07-08T14:16:25.696Z",
        "dateReserved": "2026-06-02T16:42:37.519Z",
        "dateUpdated": "2026-07-09T03:55:42.859Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-11235 (GCVE-0-2025-11235)

    Vulnerability from cvelistv5 – Published: 2026-01-06 22:16 – Updated: 2026-01-07 16:25
    VLAI
    Title
    MOVEit Transfer REST API does not require current password in order to initiate the password change process
    Summary
    Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-620 - Unverified Password Change
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2023.1.0 , < 2023.1.3 (semver)
    Affected: 2023.0.0 , < 2023.0.8 (semver)
    Affected: 2022.1.0 , < 2022.1.11 (semver)
    Affected: 2022.0.0 , < 2022.0.10 (semver)
    Create a notification for this product.
    Credits
    Aden Yap Chuen Zhen, BAE SYSTEM Digital Intelligence
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-11235",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-07T16:24:49.767769Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-07T16:25:41.732Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "REST API"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2023.1.3",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.0.8",
                  "status": "affected",
                  "version": "2023.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2022.1.11",
                  "status": "affected",
                  "version": "2022.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2022.0.10",
                  "status": "affected",
                  "version": "2022.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Aden Yap Chuen Zhen, BAE SYSTEM Digital Intelligence"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10.\u003c/p\u003e"
                }
              ],
              "value": "Unverified Password Change vulnerability in Progress MOVEit Transfer on Windows (REST API modules).This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.3, from 2023.0.0 before 2023.0.8, from 2022.1.0 before 2022.1.11, from 2022.0.0 before 2022.0.10."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-620",
                  "description": "CWE-620 Unverified Password Change",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-06T22:16:48.036Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2023_1/page/Fixed-Issues-in-2023.1.3.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "MOVEit Transfer REST API does not require current password in order to initiate the password change process",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2025-11235",
        "datePublished": "2026-01-06T22:16:48.036Z",
        "dateReserved": "2025-10-01T19:09:58.385Z",
        "dateUpdated": "2026-01-07T16:25:41.732Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13147 (GCVE-0-2025-13147)

    Vulnerability from cvelistv5 – Published: 2025-11-19 20:45 – Updated: 2025-11-19 20:50
    VLAI
    Title
    External Service Interaction (DNS)
    Summary
    Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 0 , < 2024.1.8 (semver)
    Affected: 2025.0.0 , < 2025.0.4 (semver)
    Create a notification for this product.
    Credits
    Early Warning Services Michael McCambridge Brian Tigges Jason Scribner Alex Achs
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13147",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-19T20:49:54.892323Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-19T20:50:10.151Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2024.1.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2025.0.4",
                  "status": "affected",
                  "version": "2025.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Early Warning Services"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael McCambridge"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Brian Tigges"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Jason Scribner"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Alex Achs"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.\u003cp\u003eThis issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.\u003c/p\u003e"
                }
              ],
              "value": "Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-19T20:45:48.418Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2024/page/Fixed-Issues-in-2024.1.8.html"
            },
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2025/page/Fixed-Issues-in-2025.0.4.html"
            },
            {
              "url": "https://docs.progress.com/bundle/moveit-transfer-release-notes-2025_1/page/Fixed-Issues-in-2025.1.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "External Service Interaction (DNS)",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2025-13147",
        "datePublished": "2025-11-19T20:45:48.418Z",
        "dateReserved": "2025-11-13T20:06:29.891Z",
        "dateUpdated": "2025-11-19T20:50:10.151Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2324 (GCVE-0-2025-2324)

    Vulnerability from cvelistv5 – Published: 2025-03-19 15:23 – Updated: 2025-03-19 20:17
    VLAI
    Title
    A MOVEit Transfer user configured as a Shared Account can gain unintended List permissions on a folder
    Summary
    Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2023.1.0 , < 2023.1.12 (custom)
    Affected: 2024.0.0 , < 2024.0.8 (custom)
    Affected: 2024.1.0 , < 2024.1.2 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2324",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-19T20:16:53.538862Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-19T20:17:04.235Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "SFTP"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2023.1.12",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2024.0.8",
                  "status": "affected",
                  "version": "2024.0.0",
                  "versionType": "custom"
                },
                {
                  "lessThan": "2024.1.2",
                  "status": "affected",
                  "version": "2024.1.0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Privilege Management vulnerability for users configured as Shared Accounts in Progress MOVEit Transfer (SFTP module) allows Privilege Escalation.This issue affects MOVEit Transfer: from 2023.1.0 before 2023.1.12, from 2024.0.0 before 2024.0.8, from 2024.1.0 before 2024.1.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-19T15:23:03.486Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-CVE-2025-2324-March-18-2025"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "A MOVEit Transfer user configured as a Shared Account can gain unintended List permissions on a folder",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2025-2324",
        "datePublished": "2025-03-19T15:23:03.486Z",
        "dateReserved": "2025-03-14T17:30:06.106Z",
        "dateUpdated": "2025-03-19T20:17:04.235Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-6576 (GCVE-0-2024-6576)

    Vulnerability from cvelistv5 – Published: 2024-07-29 13:46 – Updated: 2024-08-01 21:41
    VLAI
    Title
    MOVEit Transfer Privilege Escalation Vulnerability
    Summary
    Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2023.0.0 , < 2023.0.12 (semver)
    Affected: 2023.1.0 , < 2023.1.7 (semver)
    Affected: 2024.0.0 , < 2024.0.3 (semver)
    Create a notification for this product.
    progress moveit_transfer Affected: 2023.0.0 , < 2023.0.12 (semver)
    Affected: 2023.1.0 , < 2023.1.7 (semver)
    Affected: 2024.0.0 , < 2024.0.3 (semver)
        cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Discovered Internally
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "moveit_transfer",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2023.0.12",
                    "status": "affected",
                    "version": "2023.0.0",
                    "versionType": "semver"
                  },
                  {
                    "lessThan": "2023.1.7",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "semver"
                  },
                  {
                    "lessThan": "2024.0.3",
                    "status": "affected",
                    "version": "2024.0.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-6576",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-29T15:51:24.094046Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-29T16:07:10.830Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:41:03.876Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.progress.com/moveit"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "SFTP"
              ],
              "platforms": [
                "Windows"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2023.0.12",
                  "status": "affected",
                  "version": "2023.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.1.7",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2024.0.3",
                  "status": "affected",
                  "version": "2024.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Discovered Internally"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3.\u003c/p\u003e"
                }
              ],
              "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Privilege Escalation.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.12, from 2023.1.0 before 2023.1.7, from 2024.0.0 before 2024.0.3."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-29T13:46:32.409Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/moveit"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-July-2024-CVE-2024-6576"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "MOVEit Transfer Privilege Escalation Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-6576",
        "datePublished": "2024-07-29T13:46:32.409Z",
        "dateReserved": "2024-07-08T17:38:23.180Z",
        "dateUpdated": "2024-08-01T21:41:03.876Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-5806 (GCVE-0-2024-5806)

    Vulnerability from cvelistv5 – Published: 2024-06-25 15:04 – Updated: 2024-08-01 21:25
    VLAI Shadowserver KEVIntel
    Title
    MOVEit Transfer Authentication Bypass Vulnerability
    Summary
    Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress MOVEit Transfer Affected: 2023.0.0 , < 2023.0.11 (semver)
    Affected: 2023.1.0 , < 2023.1.6 (semver)
    Affected: 2024.0.0 , < 2024.0.2 (semver)
    Create a notification for this product.
    progress moveit_transfer Affected: 2023.0.0 , < 2023.0.11 (custom)
        cpe:2.3:a:progress:moveit_transfer:2023.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    progress moveit_transfer Affected: 2023.1.0 , < 2023.1.6 (custom)
        cpe:2.3:a:progress:moveit_transfer:2023.1.0:*:*:*:*:*:*:*
    Create a notification for this product.
    progress moveit_transfer Affected: 2024.0.0 , < 2024.0.2 (custom)
        cpe:2.3:a:progress:moveit_transfer:2024.0.0:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:progress:moveit_transfer:2023.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "moveit_transfer",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2023.0.11",
                    "status": "affected",
                    "version": "2023.0.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:progress:moveit_transfer:2023.1.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "moveit_transfer",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2023.1.6",
                    "status": "affected",
                    "version": "2023.1.0",
                    "versionType": "custom"
                  }
                ]
              },
              {
                "cpes": [
                  "cpe:2.3:a:progress:moveit_transfer:2024.0.0:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "moveit_transfer",
                "vendor": "progress",
                "versions": [
                  {
                    "lessThan": "2024.0.2",
                    "status": "affected",
                    "version": "2024.0.0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5806",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-27T03:55:23.614488Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-27T13:22:54.244Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T21:25:02.659Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.progress.com/moveit"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "modules": [
                "SFTP"
              ],
              "product": "MOVEit Transfer",
              "vendor": "Progress",
              "versions": [
                {
                  "lessThan": "2023.0.11",
                  "status": "affected",
                  "version": "2023.0.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.1.6",
                  "status": "affected",
                  "version": "2023.1.0",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2024.0.2",
                  "status": "affected",
                  "version": "2024.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.\u003cp\u003eThis issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.\u003c/p\u003e"
                }
              ],
              "value": "Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass.This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-115",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-115 Authentication Bypass"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-25T23:23:46.318Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/moveit"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "MOVEit Transfer Authentication Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-5806",
        "datePublished": "2024-06-25T15:04:37.342Z",
        "dateReserved": "2024-06-10T16:42:56.944Z",
        "dateUpdated": "2024-08-01T21:25:02.659Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-2291 (GCVE-0-2024-2291)

    Vulnerability from cvelistv5 – Published: 2024-03-20 14:46 – Updated: 2024-08-01 19:11
    VLAI
    Title
    MOVEit Transfer Logging Bypass Vulnerability
    Summary
    In Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.  An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software MOVEit Transfer Affected: 2022.0.0 (14.0.0) , < 2022.0.11 (14.0.11) (semver)
    Affected: 2022.1.0 (14.1.0) , < 2022.1.12 (14.1.12) (semver)
    Affected: 2023.0.0 (15.0.0) , < 2023.0.9 (15.0.9) (semver)
    Affected: 2023.1.0 (15.1.0) , < 2023.1.4 (15.1.4) (semver)
    Create a notification for this product.
    Credits
    HackerOne: interl0per
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-2291",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-20T20:09:08.372929Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:30:49.129Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T19:11:53.265Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.progress.com/moveit"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "MOVEit Transfer",
              "vendor": "Progress Software",
              "versions": [
                {
                  "lessThan": "2022.0.11 (14.0.11)",
                  "status": "affected",
                  "version": "2022.0.0 (14.0.0)",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2022.1.12 (14.1.12)",
                  "status": "affected",
                  "version": "2022.1.0 (14.1.0)",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.0.9 (15.0.9)",
                  "status": "affected",
                  "version": "2023.0.0 (15.0.0)",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.1.4 (15.1.4)",
                  "status": "affected",
                  "version": "2023.1.0 (15.1.0)",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "HackerOne: interl0per"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u0026nbsp; An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly.\u003c/span\u003e"
                }
              ],
              "value": "\nIn Progress MOVEit Transfer versions released before 2022.0.11 (14.0.11), 2022.1.12 (14.1.12), 2023.0.9 (15.0.9), 2023.1.4 (15.1.4), a logging bypass vulnerability has been discovered.\u00a0 An authenticated user could manipulate a request to bypass the logging mechanism within the web application which results in user activity not being logged properly."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-268",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-268 Audit Log Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-778",
                  "description": "CWE-778: Insufficient Logging",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-03-20T14:46:59.040Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/moveit"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-March-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "MOVEit Transfer Logging Bypass Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-2291",
        "datePublished": "2024-03-20T14:46:59.040Z",
        "dateReserved": "2024-03-07T17:27:18.819Z",
        "dateUpdated": "2024-08-01T19:11:53.265Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-0396 (GCVE-0-2024-0396)

    Vulnerability from cvelistv5 – Published: 2024-01-17 15:56 – Updated: 2024-11-13 19:52
    VLAI
    Title
    Missing Server-Side Input Validation in HTTP Parameter
    Summary
    In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered. An authenticated user can manipulate a parameter in an HTTPS transaction. The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Progress Software Corporation MOVEit Transfer Affected: 2022.0.0 (14.0.0) , < 2022.0.10 (14.0.10) (semver)
    Affected: 2022.1.0 (14.1.0) , < 2022.1.11 (14.1.11) (semver)
    Affected: 2023.0.0 (15.0.0) , < 2023.0.8 (15.0.8) (semver)
    Affected: 2023.1.0 (15.1.0) , < 2023.1.3 (15.1.3) (semver)
    Create a notification for this product.
    Credits
    HackerOne: p-v-p
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:04:49.919Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "product",
                  "x_transferred"
                ],
                "url": "https://www.progress.com/moveit"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-January-2024"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-0396",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-23T20:58:50.772488Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-13T19:52:11.923Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "affected",
              "product": "MOVEit Transfer",
              "vendor": "Progress Software Corporation",
              "versions": [
                {
                  "lessThan": "2022.0.10 (14.0.10)",
                  "status": "affected",
                  "version": "2022.0.0 (14.0.0)",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2022.1.11 (14.1.11)",
                  "status": "affected",
                  "version": "2022.1.0 (14.1.0)",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.0.8 (15.0.8)",
                  "status": "affected",
                  "version": "2023.0.0 (15.0.0)",
                  "versionType": "semver"
                },
                {
                  "lessThan": "2023.1.3 (15.1.3)",
                  "status": "affected",
                  "version": "2023.1.0 (15.1.0)",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "HackerOne: p-v-p"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\n\nIn Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered.  An authenticated user can manipulate a parameter in an HTTPS transaction.  The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.\n\n"
                }
              ],
              "value": "\nIn Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered.  An authenticated user can manipulate a parameter in an HTTPS transaction.  The modified transaction could lead to computational errors within MOVEit Transfer and potentially result in a denial of service.\n\n"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-113",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-113 API Manipulation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-01-17T15:58:24.651Z",
            "orgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
            "shortName": "ProgressSoftware"
          },
          "references": [
            {
              "tags": [
                "product"
              ],
              "url": "https://www.progress.com/moveit"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-January-2024"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Missing Server-Side Input Validation in HTTP Parameter",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "f9fea0b6-671e-4eea-8fde-31911902ae05",
        "assignerShortName": "ProgressSoftware",
        "cveId": "CVE-2024-0396",
        "datePublished": "2024-01-17T15:56:41.390Z",
        "dateReserved": "2024-01-10T13:12:29.565Z",
        "dateUpdated": "2024-11-13T19:52:11.923Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }