When Fortra disclosed CVE-2025-10035 in GoAnywhere MFT, security teams would have experienced a familiar sinking feeling. Another critical vulnerability. Another emergency patch cycle. Another race against ransomware operators. Yet, this latest maximum-severity flaw revealed something more troubling than a single vendor's coding error. It exposed the fundamental fragility of how organizations handle their most sensitive data transfers.
Unfortunately, the numbers don’t lie. According to our research, Managed File Transfer (MFT) platforms carry a sky-high risk score (4.72), outpacing nearly every other data transfer technology. This is not a coincidence. It is the predictable result of architectural decisions made when "perimeter security" still meant something and when exposed admin consoles were considered acceptable trade-offs for operational convenience.
A dangerous intersection
This is an industry-wide crisis that has been hiding in plain sight. Legacy MFT systems have suffered similar critical vulnerabilities in recent years. Each follows an eerily similar pattern: authentication bypass or code execution flaws that grant attackers the keys to the kingdom.
Part of the problem is that they exist at the intersection of maximum value and maximum exposure. They are needed to quickly transport sensitive information. Yet they must also connect disparate networks, bridge security domains, and accommodate external partners with varying security postures. This inherent tension creates attack surfaces that grow exponentially with each integration point.
The financial impact can be deep. Organizations operating in what researchers call the "danger zone" − managing 1,001 to 5,000 third-party connections − face average breach costs between $3-$5 million per incident. Yet, these costs can rise further depending on detection time. Those that take 31-90 days to discover MFT compromises see litigation costs alone exceed $5 million in 27% of cases. Therefore, every hour of dwell time multiplies the damage exponentially.
The need for modern architectural patterns
The channel plays a very important role here. It needs to educate security leaders that if their strategy relies primarily on patching vulnerabilities quickly, they have already lost. The problem isn't the patches; it is the architecture that turns every vulnerability into an existential threat.
Thankfully, modern architectural patterns offer a different path. Think of security as layers of Swiss cheese. Any single layer has holes, but stacking them creates defense in depth.
Sandboxing isolates risky components, preventing deserialization flaws from compromising systems. Zero-trust networking assumes breach and limits blast radius. Embedded security controls create speed bumps that slow attackers and generate alerts. Most critically, these patterns acknowledge that perfect code is impossible; resilience comes from limiting impact, not preventing flaws.
A vicious cycle
The most striking finding from our own research is the power of mature governance to reduce risk. Organizations with comprehensive governance frameworks (currently just 17% of enterprises) demonstrate 21% lower risk scores across all security metrics.
Governance in this context means more than policies and procedures. It is about maintaining visibility into what the organization is protecting and how. Nearly half of the organizations that cannot quantify their breach frequency also can't estimate their litigation exposure. This blindness creates a vicious cycle: without metrics, a business cannot improve; without improvement, breaches multiply.
For MFT systems specifically, governance means treating file transfer as the critical infrastructure it truly is. This includes architectural review boards that evaluate new integrations for security impact, continuous monitoring that alerts on unusual activity, clear accountability of each external connection point, and regular exercises to test response capabilities.
What can MSPs do?
For MSPs looking to break the vulnerability-patch-breach cycle for their clients, several concrete steps can dramatically improve security posture. Start by eliminating internet-facing admin consoles. Use jump servers, VPNs, or modern zero-trust proxies, but never expose management interfaces directly.
Next, implement genuine least-privilege access. Most MFT deployments run with excessive permissions because it is easier than properly scoping access. This convenience becomes catastrophic when attackers gain a foothold. Ensure that every external connection has minimal permissions, enforced at multiple layers.
Consolidate where possible. Many organizations run multiple MFT solutions for historical reasons, each adding attack surface and complexity. It’s far better for MSPs to get their clients to standardize on one single, well-architected platform.
Most importantly, instrument for detection. The difference between a £1m incident and a £10m breach often comes down to the speed of detection. MFT systems should generate rich audit logs, feed SIEM platforms in real-time, alert on anomalous transfer patterns or volumes, and integrate with broader security orchestration.
A learning opportunity
CVE-2025-10035 represents a learning opportunity. It is time for MSPs to encourage their clients to evolve from reactive patching to proactive architectural resilience. This evolution requires acknowledging uncomfortable truths.
Legacy MFT systems will likely continue to have critical vulnerabilities discovered that threat actors will attempt to exploit. The question is whether these are allowed to become manageable incidents or existential crises. MSPs need to recommend an MFT solution with the architecture, governance, and detection capabilities to give their clients the best chance.
As we enter an era where AI-powered vulnerability discovery accelerates the pace of disclosure, the old solution of patch-and-pray becomes increasingly untenable. MSPs must instead focus on building systems for their clients that bend but do not break, that contain breaches rather than amplifying them, and that provide visibility into compromise rather than hiding it.
Savvy MSPs understand this and are transforming MFT from a great vulnerability into a manageable risk.
Everything we know so far about the Nike data breach
Morgan Stanley research warns AI is having a huge impact on jobs
Redefining resilience: Why MSP security must evolve to stay ahead
Ransomware is on the rise. Again
Poised for the future: Key cybersecurity growth opportunities for MSPs
In the age of all-in-one platforms, how can partners avoid becoming interchangeable?
Threat intel could be your secret weapon in cybersecurity sales
The changing role of the MSP: What does this mean for security?
When everything connects, everything’s at risk
How to MFA everywhere
