0000876167falsePROGRESS SOFTWARE CORP /MA00008761672023-05-302023-05-30

Washington, D.C. 20549

Pursuant to Section 13 OR 15(d) of the Securities Exchange Act of 1934

May 30, 2023
Date of Report (Date of earliest event reported)
 Progress Software Corporation
(Exact name of registrant as specified in its charter)
(State or other jurisdiction of incorporation or organization)(Commission file number)(I.R.S. Employer Identification No.)
15 Wayside Road, Suite 400
Burlington, Massachusetts 01803
(Address of principal executive offices, including zip code)
(Registrant’s telephone number, including area code)
Not applicable
(Former name or former address, if changed since last report.)

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:
Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)
Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)
Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))
Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:
Title of each classTrading Symbol(s)Name of each exchange on which registered
Common Stock, $0.01 par value per sharePRGSThe Nasdaq Stock Market LLC

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).

Emerging growth company

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act.

Item 8.01. Other Events.

On the evening of May 28, 2023 (Eastern Time), the MOVEit technical support team at Progress Software Corporation (“Progress” or “the Company”) received an initial customer support call indicating unusual activity within their MOVEit Transfer instance. An investigative team was mobilized and discovered a zero-day vulnerability in MOVEit Transfer. The investigative team determined that the vulnerability could provide for unauthorized escalated privileges and access to the customer’s underlying environment. Following such discovery, on May 30, 2023, Progress promptly (i) reached out to all MOVEit Transfer and MOVEit Cloud (Progress’ cloud-hosted version of MOVEit Transfer) customers in order to apprise them of the vulnerability and alert them to immediate remedial actions, and (ii) took down MOVEit Cloud for investigation. In parallel, the engineering team at the Company worked to develop a patch for all supported versions of MOVEit Transfer (including MOVEit Cloud), which was released across all impacted systems on May 31, 2023 and allowed for the restoration of MOVEit Cloud that same day.

Progress has remained fully operational at all times before and after the discovery of the vulnerability and, as of the time of this current report on Form 8-K, has not uncovered evidence of unauthorized activity or impact to products beyond MOVEit Transfer and MOVEit Cloud. As of May 31, 2023, Progress estimates that MOVEit Transfer and MOVEit Cloud accounted for less than 4% of Progress’ annual gross revenue.

Progress has engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the vulnerability. While Progress’ investigation remains ongoing, the Company (i) has and is continuing to implement a series of additional security and related measures aimed at addressing this vulnerability and further strengthening the overall security of the MOVEit application, (ii) has engaged outside legal counsel to conduct a thorough independent investigation of the vulnerability, and (iii) has engaged with federal law enforcement and other federal agencies with respect to the vulnerability.

As the investigation remains ongoing, Progress will continue to assess the potential impact on its business, operations and financial results. Based upon Progress’ assessment of the investigation at this time, the Company currently does not believe that the vulnerability will have a material impact on its business, operations or financial results.

Note Regarding Forward-Looking Statements

This periodic report on Form 8-K contains statements that are “forward-looking statements” within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended. Progress has identified some of these forward-looking statements with words like “believe,” “may,” “could,” “would,” “might,” “should,” “expect,” “intend,” “plan,” “target,” “anticipate” and “continue,” the negative of these words, other terms of similar meaning or the use of future dates. Forward-looking statements in this report include, but are not limited to, statements regarding Progress’ business outlook, the actual or potential impact of the vulnerability, and financial guidance related thereto. There are a number of factors that could cause actual results or future events to differ materially from those anticipated by the forward-looking statements, including, without limitation: (i) the impact of the unauthorized access to the MOVEit application or other future similar activities; and (ii) if the security measures for Progress’ software, services, other offerings or Progress’ internal information technology infrastructure or other products are compromised or subject to a successful cyber-attack, or if Progress’ software offerings contain significant coding or configuration errors, the Company may experience reputational harm, legal claims and financial exposure. For further information regarding risks and uncertainties associated with Progress’ business, please refer to Progress’ filings with the Securities and Exchange Commission (the “SEC”), including its Annual Report on Form 10-K for the fiscal year ended November 30, 2022, which was filed with the SEC on January 27, 2023. Progress undertakes no obligation to update any forward-looking statements, which speak only as of the date of this current report on Form 8-K.

Item 9.01. Financial Statements and Exhibits.

(d) Exhibits.
Exhibit No.Description
104Cover Page Interactive Data File (embedded within the Inline XBRL document)

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
Date:June 5, 2023Progress Software Corporation
YuFan Stephanie Wang
Chief Legal Officer and Secretary