When Fortra disclosed CVE-2025-10035 in GoAnywhere MFT last month, many security teams would have experienced a familiar sinking feeling. Another critical vulnerability. Another emergency patch cycle. Another race against ransomware operators. But this one revealed something more troubling. It exposes the fundamental fragility of how organisations handle their most sensitive data transfers.
This is an industry-wide crisis hiding in plain sight. Legacy managed file transfer (MFT) systems have suffered similar critical vulnerabilities in recent years. Each follows an eerily similar pattern: authentication bypass or code execution flaws that grant attackers keys to the kingdom. The reason is structural, not coincidental.
These solutions exist at the intersection of maximum value and maximum exposure. MFT systems handle everything from financial transactions to healthcare records, intellectual property to government secrets. Yet, they must also connect disparate networks, bridge security domains, and accommodate external partners with varying security postures. This inherent tension creates attack surfaces that grow exponentially with each integration point.
The uncomfortable truth for businesses is that if a firm’s strategy relies primarily on patching vulnerabilities quickly, it has already lost. The problem isn’t the patches; the architecture itself turns every vulnerability into an existential threat.
Luckily, modern architectural patterns can offer a different path. It is best to think of security as layers of Swiss cheese. Any single layer has holes, but stacking them creates a defence in depth. Sandboxing isolates risky components, preventing deserialisation flaws from achieving system compromise. Zero-trust networking assumes breach and limits blast radius. Embedded security controls create speed bumps that slow attackers and generate alerts. Most critically, these patterns acknowledge that perfect code is impossible; resilience comes from limiting impact, not preventing flaws.
Weaponising governance to squash MFT vulnerabilities
The most striking finding from recent industry analysis is the power of mature governance to reduce risk. Governance in this context means more than policies and procedures. It is about maintaining visibility into what a business must protect and how. Nearly half of organisations that cannot quantify their breach frequency also can’t estimate their litigation exposure. This blindness creates a vicious cycle: without metrics, a business cannot improve; without improvement, breaches multiply; multiplied breaches destroy metrics through chaos and turnover.
For MFT systems specifically, governance means treating file transfer as the critical infrastructure it truly is. This includes architectural review boards that evaluate new integrations for security impact, continuous monitoring that alerts on unusual transfer patterns or administrative actions, clear ownership and accountability for each external connection point, and regular tabletop exercises that assume MFT compromise and test response capabilities.
For businesses looking to break the vulnerability-patch-breach cycle, several concrete steps can dramatically improve security posture without massive technology investments. Start by eliminating internet-facing admin consoles. Then implement genuine least-privilege access. Next, consolidate where possible. The overhead of managing several different file transfer systems often exceeds the cost of standardising on one well-architected platform.
Most importantly, instrument for detection. The cost of a breach often comes down to detection speed. If a business cannot detect compromise within hours, its architecture has failed, regardless of patch velocity.
Organisations must evolve from reactive patching to proactive architectural resilience. This evolution requires acknowledging uncomfortable truths. A legacy MFT system will have critical vulnerabilities discovered. The question is whether these inevitable events become manageable incidents or existential crises. As we enter an era where AI-powered vulnerability discovery accelerates the pace of disclosure, the old playbook of patch-and-pray becomes increasingly untenable. Security leaders must instead focus on building systems that bend but do not break, that contain breaches rather than amplifying them, and that provide visibility into compromise rather than hiding it.
John Lynch is the director of UK market development at Kiteworks
Read more: Why cybersecurity must be built into construction from day one
