External risk intelligence

MOVEit Transfer Custom Reports Data Query Logic Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-8649

Progress MOVEit Transfer is a managed file transfer solution designed to be deployed as an internet-facing gateway for secure data exchange, making its web-based management and file transfer interfaces inherently public-facing by design.

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Progress MOVEit Transfer's custom reports module allows attackers to manipulate data queries, potentially leading to severe impacts on confidentiality, integrity, and availability. This issue affects internet-facing deployments of MOVEit Transfer.

  • Data query logic flaw in file transfer software.
  • Affects external-facing systems, requiring attention.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted query to the Custom Reports module of MOVEit Transfer. This module, which is accessible over the network without requiring authentication, is susceptible to improper handling of data queries. Successful exploitation could lead to significant compromise of confidentiality, integrity, and availability of the system.

  • Internet-accessible without authentication.
  • Triggered by crafted data queries.
  • Leads to high system compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary commands on the affected MOVEit Transfer system. This could happen through specially crafted queries targeting the Custom Reports module.

  • System data could be compromised.
  • Unauthenticated network access allows exploitation.
  • Complete system compromise may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

The teams most likely responsible for addressing this critical vulnerability in Progress MOVEit Transfer are the application owners, who manage the MOVEit Transfer instances, and potentially the infrastructure or platform teams if MOVEit is part of a managed service. The initial and most crucial step is to confirm the presence and exposure of MOVEit Transfer across the environment, identify the business-critical systems that rely on it, and ascertain the accountable owner before planning any remediation activities.

  • Application owners must prioritize this issue.
  • Verify all MOVEit Transfer instances and reachability.
  • Plan remediation based on confirmed exposure.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Progress MOVEit Transfer?

Progress MOVEit Transfer is a managed file transfer application that organizations use to securely exchange sensitive data. It serves as a centralized gateway for moving files between employees, customers, and partners, often operating as a public-facing service to facilitate these external connections.

What does CVE-2026-8649 mean?

This CVE represents a vulnerability classified as CWE-943, which is an Improper Neutralization of Special Elements in Data Query Logic. In plain English, the software fails to properly sanitize inputs sent to its Custom Reports module, allowing an attacker to manipulate the underlying database queries to perform unauthorized actions.

How is this vulnerability triggered?

An attacker triggers this flaw by sending a specially crafted, malicious query to the Custom Reports module. The vulnerability is tied to this specific module's query logic; therefore, interacting with other, non-reporting features of the software does not trigger the bug.

Do I need to worry if my instance is internal?

According to Halo Surface Signal, this software is designed as an internet-facing gateway, making it highly likely to be exposed. While internet-facing instances are the primary concern, you should verify your network architecture to confirm if your specific deployment is accessible from the public internet or restricted to an internal network.

What is the first step to address CVE-2026-8649?

The immediate priority is to identify all instances of MOVEit Transfer within your environment and determine their current version to see if they fall within the affected ranges. Once you have an inventory, confirm which instances are reachable over the network and establish clear ownership to coordinate the necessary updates.

References