Ongoing collaboration between Progress Software and SEC investigation concerning the misuse of MOVEit software
Progress Software, a prominent software company, is currently navigating a series of challenges following a significant data breach linked to its MOVEit Transfer product. The breach, which was first disclosed in October 2023, has led to a cascade of incidents into 2024 and 2025, impacting thousands of organizations worldwide.
The vulnerability, CVE-2023-34362, was a critical SQL injection flaw that allowed unauthenticated attackers to access and manipulate MOVEit databases remotely. This vulnerability was actively exploited by the Cl0p ransomware group, leading to a widespread attack starting around May 27, 2023. The group publicly announced on June 7, 2023, that they had compromised MOVEit transactions globally and threatened to release stolen sensitive data if ransoms were not paid by June 14, 2023.
The breach affected major companies and third-party payroll providers, such as Zellis, compromising high-profile victims like the BBC, Boots, and British Airways. Additional vulnerabilities, such as CVE-2023-35708, surfaced later in June 2023, extending the threat window and complicating remediation efforts.
In response, Progress Software launched an extensive investigation, notifying customers and issuing mitigation guidance. They subsequently released security patches to fix the vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued advisories, and Progress Software became the subject of SEC investigations due to the widespread impact and disclosure concerns related to the MOVEit weaknesses and breach management.
As of mid-2025, the situation remains under investigation, with ongoing efforts to assess the full scope of data exposure and damages, remediate residual vulnerabilities, and address regulatory and compliance implications stemming from these MOVEit Transfer software compromises.
Despite these challenges, Progress Software's overall revenues from MOVEit only represent about 4% of the company's total revenues. For the full year of fiscal 2024, the company expects revenue to range between $722 million and $732 million, which is consistent with earlier guidance.
In other news, Progress Software is considering acquiring MariaDB, a provider of open source relational database management software. The potential offer for MariaDB is 60 cents a share, which is 9% more than the previous offer by K1 Investment Management. The forecast for cyber incident and vulnerability response expenses for the fiscal year 2024 is about $5.8 million.
CEO Yogesh Gupta has stated that the inquiries do not indicate any law violations by anyone at the company or a negative impression of the company by the agencies. He also mentioned that the company has received positive feedback for its response to the situation and emphasised that every MOVEit customer is considered important.
Progress Software has disclosed in its 10-K filing that about 118 class action lawsuits have been filed. The company reported revenue of $185 million for the fiscal first quarter, which ended on February 29, 2024. Progress Software is currently cooperating with investigations by the Securities and Exchange Commission and other entities regarding its handling of the MOVEit vulnerabilities. The SEC, Federal Trade Commission, data privacy regulators in the U.S. and abroad, several attorneys general, and various other entities are investigating the MOVEit vulnerability and related attacks.
- The data breach at Progress Software, related to its MOVEit Transfer product, has raised concerns about the company's cybersecurity practices and the privacy of its users, as it has affected thousands of organizations worldwide.
- The Cl0p ransomware group, exploiting the critical SQL injection flaw (CVE-2023-34362) in MOVEit, carried out a widespread attack, impacting major companies like the BBC, Boots, and British Airways, and threatening to release stolen sensitive data.
- Following the breach, Progress Software faces investigations by the Securities and Exchange Commission (SEC) and other entities regarding its handling of the MOVEit vulnerabilities, alongside the ongoing class action lawsuits and investigations by data privacy regulators, attorneys general, and various other entities.
- Despite the ongoing challenges and investigations, Progress Software is actively considering business opportunities such as the acquisition of MariaDB and is looking to invest in cybersecurity measures, as highlighted by the forecast for cyber incident and vulnerability response expenses of about $5.8 million for fiscal year 2024.
