The US Securities and Alternate Fee (SEC) is not going to deliver costs in opposition to Progress Software program over the MOVEit software program provide chain assault that uncovered the information of hundreds of thousands of individuals since 2023.
In an August 6 Kind 8-Ok, a doc that US public firms should file with the SEC to announce vital occasions that shareholders ought to learn about, Progress Software program stated the Fee has concluded its investigation into its dealing with of the exploitation of a MOVEit Switch zero-day vulnerabilities in 2023.
“As beforehand disclosed, Progress acquired a subpoena from the SEC on October 2, 2023, as a part of a fact-finding inquiry looking for varied paperwork and knowledge regarding the MOVEit vulnerability,” stated the SEC submitting.
Nevertheless, after months of investigation, the SEC’s Division of Enforcement determined to not suggest any enforcement motion relating to the safety incident.
MOVEit Software program Provide Chain Assault
The zero-day vulnerability, initially uncovered by Progress in June 2023, was an SQL injection weak spot discovered within the managed file switch (MFT) product. This flaw (CVE-2023-34362) might grant escalated privileges and unauthorised entry.
The Clop ransomware gang rapidly took benefit of the zero-day to launch a large-scale information theft marketing campaign in opposition to firms worldwide.
Cybersecurity supplier Emsisoft estimates that the incident has impacted 2773 organizations and over 95 million folks on the time of writing.
In June 2024, Progress Software program disclosed two recent vulnerabilities in its MOVEit file switch merchandise.
