When Fortra disclosed CVE-2025-10035 in GoAnywhere MFT, security teams would have experienced a familiar sinking feeling. Another critical vulnerability. Another emergency patch cycle. Another race against ransomware operators. Yet, this latest maximum-severity flaw revealed something more troubling than a single vendor's coding error. It exposed the fundamental fragility of how organizations handle their most sensitive data transfers.
Unfortunately, the numbers don’t lie. According to our research, Managed File Transfer (MFT) platforms carry a sky-high risk score (4.72), outpacing nearly every other data transfer technology. This is not a coincidence. It is the predictable result of architectural decisions made when "perimeter security" still meant something and when exposed admin consoles were considered acceptable trade-offs for operational convenience.
A dangerous intersection
This is an industry-wide crisis that has been hiding in plain sight. Legacy MFT systems have suffered similar critical vulnerabilities in recent years. Each follows an eerily similar pattern: authentication bypass or code execution flaws that grant attackers the keys to the kingdom.
Part of the problem is that they exist at the intersection of maximum value and maximum exposure. They are needed to quickly transport sensitive information. Yet they must also connect disparate networks, bridge security domains, and accommodate external partners with varying security postures. This inherent tension creates attack surfaces that grow exponentially with each integration point.
The financial impact can be deep. Organizations operating in what researchers call the "danger zone" − managing 1,001 to 5,000 third-party connections − face average breach costs between $3-$5 million per incident. Yet, these costs can rise further depending on detection time. Those that take 31-90 days to discover MFT compromises see litigation costs alone exceed $5 million in 27% of cases. Therefore, every hour of dwell time multiplies the damage exponentially.
The need for modern architectural patterns
The channel plays a very important role here. It needs to educate security leaders that if their strategy relies primarily on patching vulnerabilities quickly, they have already lost. The problem isn't the patches; it is the architecture that turns every vulnerability into an existential threat.
Thankfully, modern architectural patterns offer a different path. Think of security as layers of Swiss cheese. Any single layer has holes, but stacking them creates defense in depth.
Sandboxing isolates risky components, preventing deserialization flaws from compromising systems. Zero-trust networking assumes breach and limits blast radius. Embedded security controls create speed bumps that slow attackers and generate alerts. Most critically, these patterns acknowledge that perfect code is impossible; resilience comes from limiting impact, not preventing flaws.
A vicious cycle
The most striking finding from our own research is the power of mature governance to reduce risk. Organizations with comprehensive governance frameworks (currently just 17% of enterprises) demonstrate 21% lower risk scores across all security metrics.
Governance in this context means more than policies and procedures. It is about maintaining visibility into what the organization is protecting and how. Nearly half of the organizations that cannot quantify their breach frequency also can't estimate their litigation exposure. This blindness creates a vicious cycle: without metrics, a business cannot improve; without improvement, breaches multiply.
For MFT systems specifically, governance means treating file transfer as the critical infrastructure it truly is. This includes architectural review boards that evaluate new integrations for security impact, continuous monitoring that alerts on unusual activity, clear accountability of each external connection point, and regular exercises to test response capabilities.
What can MSPs do?
For MSPs looking to break the vulnerability-patch-breach cycle for their clients, several concrete steps can dramatically improve security posture. Start by eliminating internet-facing admin consoles. Use jump servers, VPNs, or modern zero-trust proxies, but never expose management interfaces directly.
Next, implement genuine least-privilege access. Most MFT deployments run with excessive permissions because it is easier than properly scoping access. This convenience becomes catastrophic when attackers gain a foothold. Ensure that every external connection has minimal permissions, enforced at multiple layers.
Consolidate where possible. Many organizations run multiple MFT solutions for historical reasons, each adding attack surface and complexity. It’s far better for MSPs to get their clients to standardize on one single, well-architected platform.
Most importantly, instrument for detection. The difference between a £1m incident and a £10m breach often comes down to the speed of detection. MFT systems should generate rich audit logs, feed SIEM platforms in real-time, alert on anomalous transfer patterns or volumes, and integrate with broader security orchestration.
A learning opportunity
CVE-2025-10035 represents a learning opportunity. It is time for MSPs to encourage their clients to evolve from reactive patching to proactive architectural resilience. This evolution requires acknowledging uncomfortable truths.
Legacy MFT systems will likely continue to have critical vulnerabilities discovered that threat actors will attempt to exploit. The question is whether these are allowed to become manageable incidents or existential crises. MSPs need to recommend an MFT solution with the architecture, governance, and detection capabilities to give their clients the best chance.
As we enter an era where AI-powered vulnerability discovery accelerates the pace of disclosure, the old solution of patch-and-pray becomes increasingly untenable. MSPs must instead focus on building systems for their clients that bend but do not break, that contain breaches rather than amplifying them, and that provide visibility into compromise rather than hiding it.
Savvy MSPs understand this and are transforming MFT from a great vulnerability into a manageable risk.
-
What businesses need to know about data sovereigntyWithout a firm strategy for data sovereignty, businesses put their data and reputations at risk
-
Anthropic says MCP will stay 'open, neutral, and community-driven' after donating project to Linux FoundationNews The AAIF aims to standardize agentic AI development and create an open ecosystem for developers
-
How the channel weakened ransomware’s gripIndustry Insights What tools and techniques are empowering businesses to say no to ransomware demands?
-
The deepfake threat to mobile app authentication: What CISOs need to knowIndustry Insights Deepfakes threaten mobile facial authentication, demanding urgent action from CISOs
-
Data at risk: helping your customers close gaps in their supply chainIndustry Insights Most UK businesses lack visibility into third‑party supplier data governance, exposing themselves to compliance and cyber risks…
-
DNS Security 101: Safeguarding your business from cyber threatsIndustry Insights What strategies can businesses implement to strengthen defenses against the increased threat landscape?
-
How bridging the IT visibility gap empowers channel partnersIndustry Insights CAASM enhances IT visibility, secures assets, and boosts channel partner growth
-
What actions should channel partners take in response to DSPM growth?Industry Insights How can channel partners best support their customers when it comes to adopting DSPM?
-
Cyber attacks: Can the channel save the day?
Industry Insights Channel partners are becoming the first – and often only – line of defence for businesses facing growing cybersecurity threats
-
Non-human identities: Are we sleepwalking into a security crisis?Industry Insights Machine identities have exploded - yet security strategies remain human-focused
