SEC Investigation into Progress MOVEit Hack Ends Without Charges

The US Securities and Exchange Commission (SEC) will not bring charges against Progress Software over the MOVEit software supply chain attack that exposed the data of millions of people since 2023.

In an August 6 Form 8-K, a document that US public companies must file with the SEC to announce significant events that shareholders should know about, Progress Software said the Commission has concluded its investigation into its handling of the exploitation of a MOVEit Transfer zero-day vulnerabilities in 2023.

“As previously disclosed, Progress received a subpoena from the SEC on October 2, 2023, as part of a fact-finding inquiry seeking various documents and information relating to the MOVEit vulnerability,” said the SEC filing.

However, after months of investigation, the SEC’s Division of Enforcement decided not to recommend any enforcement action regarding the security incident.

MOVEit Software Supply Chain Attack

The zero-day vulnerability, originally uncovered by Progress in June 2023, was an SQL injection weakness found in the managed file transfer (MFT) product. This flaw (CVE-2023-34362) could grant escalated privileges and unauthorised access.

The Clop ransomware gang quickly took advantage of the zero-day to launch a large-scale data theft campaign against companies worldwide.

Cybersecurity provider Emsisoft estimates that the incident has impacted 2773 organizations and over 95 million people at the time of writing.

In June 2024, Progress Software disclosed two fresh vulnerabilities in its MOVEit file transfer products.