CVE-2026-8650 in MOVEit Transferinfo

Summary

by MITRE • 07/08/2026

Relative path traversal vulnerability in Progress MOVEit Transfer (Admin Settings module).

This issue affects MOVEit Transfer: before 2025.0.7, from 2025.1.0 before 2025.1.3.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

Progress MOVEit Transfer contains a relative path traversal vulnerability within its Admin Settings module that allows authenticated attackers to access arbitrary files on the server through improper input validation. This weakness stems from insufficient sanitization of user-supplied parameters when processing administrative configuration requests, enabling malicious actors to manipulate file paths and gain unauthorized access to sensitive system resources.

The vulnerability manifests when administrators interact with the Admin Settings module, where specific parameters controlling file operations are not properly validated or sanitized before being used in file system operations. Attackers can exploit this by crafting malicious requests that include directory traversal sequences such as ../ or ..\ which bypass normal access controls and allow them to navigate outside of intended directories. This flaw affects multiple versions of MOVEit Transfer including all releases prior to 2025.0.7 and versions from 2025.1.0 through 2025.1.2, representing a significant window of affected software installations.

The operational impact of this vulnerability extends beyond simple file access as it can potentially lead to complete system compromise when combined with other attack vectors. An attacker who successfully exploits this weakness could access configuration files containing database credentials, encryption keys, and other sensitive administrative information. The vulnerability aligns with CWE-22 Path Traversal and follows patterns consistent with ATT&CK technique T1078 Valid Accounts, as exploitation typically requires authenticated access to the system. Organizations running affected versions face risks of data exfiltration, system integrity compromise, and potential lateral movement within their networks.

Mitigation strategies include immediate deployment of the patched versions 2025.0.7 and 2025.1.3 or later, which contain proper input validation and sanitization measures for file path operations. Administrators should also implement network segmentation to limit access to administrative interfaces, enforce least privilege principles for user accounts, and monitor system logs for suspicious file access patterns. Additional defensive measures include implementing web application firewalls with rules specific to path traversal attacks and conducting regular security assessments of the administrative modules to identify similar vulnerabilities. Organizations should also review their incident response procedures to ensure preparedness for potential exploitation attempts targeting this class of vulnerability.

Responsible

ProgressSoftware

Reservation

05/15/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!