Accumulating Legal Responsibilities and Financial Burdens for Progress Software in Moveit
Progress Software is currently embroiled in a series of legal battles stemming from a zero-day SQL injection vulnerability discovered in its MOVEit Transfer software in May 2023. The vulnerability, identified as CVE-2023-34362, was exploited by the Cl0p ransomware group, leading to a global wave of data breaches and ransom demands.
Timeline of Events
- May 27–31, 2023: The vulnerability was actively exploited, enabling attackers to deploy web shells like "LEMURLOOT," causing unauthorized data exfiltration from MOVEit Transfer servers.
- June 7, 2023: The Cl0p cyber gang announced the breach and demanded ransoms from hundreds of affected organizations worldwide, threatening to publish stolen sensitive data.
- Mid-June 2023: Progress responded by investigating, alerting customers, blocking traffic to MOVEit, and releasing security patches. A second vulnerability (CVE-2023-35708) was disclosed later, but its exploitability remained low.
- Post-attack developments: Numerous entities reported data leaks, resulting in multiple class-action lawsuits against Progress for inadequate security measures, delayed patching, and lack of timely notification.
- As of August 2025: The number of lawsuits has increased, with plaintiffs alleging various issues. These legal battles are ongoing, reflecting the broader impact of the MOVEit breach on Progress' liability exposure.
Current Status
Subpoenas from the attorneys general in the District of Columbia and New Jersey remain ongoing. The Securities and Exchange Commission (SEC) notified Progress of a formal investigation in October. Progress has received letters from 38 customers, some of which indicated they intend to seek indemnification.
The number of class-action lawsuits filed against Progress increased from 127 at the end of the previous quarter. By the end of 2023, Progress reported 58 class-action lawsuits. These lawsuits have been consolidated with a subrogation claim from an insurer in the U.S. District Court for the District of Massachusetts.
Expenses related to the MOVEit vulnerability grew from $1 million in Progress' fiscal first quarter to $3 million in the most recently closed quarter. Progress expects to incur additional investigation, legal, and professional services expenses associated with the MOVEit vulnerability in future quarters.
Inquiries from data privacy regulators in the United Kingdom, Australia, and Spain were closed without action. However, Progress received a preservation notice from the Federal Trade Commission in December. Progress Software is continuing to cooperate with regulators in a transparent manner.
As of now, Progress is party to at least 144 class-action lawsuits. The company cannot reasonably estimate a range of possible losses at this time due to multiple lawsuits and investigations ongoing.
Progress Software's President and CEO, Yogesh Gupta, stated that the company acted appropriately and with the interests of customers at the forefront in its response to the attack on MOVEit environments. The company has not received a request for information or communication indicating a formal investigation is underway from the Federal Trade Commission.
Sources
[1] KrebsOnSecurity. (2023). MOVEit Transfer Zero-Day SQL Injection Vulnerability Exploited in Attacks by Clop Ransomware Group
[2] Cybersecurity Dashboard. (2023). CVE-2023-34362 - MOVEit Transfer Server SQL Injection Vulnerability
[3] DataBreachToday. (2023). Clop Ransomware Attacks MOVEit Transfer Server, Exposes 93 Million Personal Records
[4] Cybersecurity Ventures. (2023). The Typical Zero-Day Exploit Lifecycle
- The Cl0p ransomware group exploited the zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer software, leading to a global wave of data breaches and ransom demands, highlighting the importance of robust cybersecurity in technology.
- Progress' response to the MOVEit breach included investigating, alerting customers, blocking traffic to MOVEit, and releasing security patches, demonstrating their attention towards privacy concerns in the digital age.
- The ongoing legal battles against Progress Software stemming from the MOVEit breach underscore the significant implications of cybersecurity vulnerabilities on a company's liability exposure and consumer privacy.
