MFT Breaches Persist: Legacy Architecture Failures Exposed

The story of managed file transfer breaches in the 2020s is not the story of one bad vendor having a bad year. It is the story of a category-level architectural pattern producing predictable failures. The April 30, 2026 disclosure of CVE-2026-4670, a CVSS 9.8 authentication bypass in MOVEit Automation, and CVE-2026-5174, a chained privilege-escalation flaw, makes that pattern impossible to dismiss as bad luck.

Key Takeaways

1. The 2026 disclosure is the third critical wave in three years. On April 30, Progress disclosed two MOVEit Automation vulnerabilities, one rated CVSS 9.8. There is no workaround.
2. This is not a one-vendor problem. Cleo in December 2024, CrushFTP in March 2025, Wing FTP in July 2025, and MOVEit again in April 2026 — four critical MFT vulnerabilities in eighteen months, across four vendors.
3. Most MFT incidents are not zero-days.Fifty-nine percent of organizations suffered an MFT-related incident in the past year, and the failures cluster around unencrypted data at rest, no SIEM integration, and fragmented systems.
4. The blast radius is decided by architecture, not by patching speed. When the same vulnerability class hits a hardened, single-tenant appliance with defense in depth, the practical impact drops by orders of magnitude — Log4Shell’s industry CVSS 10 was contained to CVSS 4 in one such environment.
5. The next patch is not the answer. The architectural choice is whether security is a customer configuration burden bolted onto an internet-facing web app, or a product capability of a hardened appliance with one policy engine and one audit log.

Three years. Eleven disclosed CVEs across MOVEit’s product lines. Five rated CVSS 9.0 or higher. And in each wave, the same architectural conditions held: an internet-facing web application, a customer-managed operating system, a database tier the application could reach directly, and a file store sitting on the same trust boundary as everything else.

The 2023 wave was the one that made the news. On May 27 of that year, the Cl0p ransomware group began mass-exploiting CVE-2023-34362, a CVSS 9.8 SQL injection vulnerability in MOVEit Transfer. Progress shipped a patch four days later. Mandiant later reported that the average time from initial compromise to data exfiltration was approximately five minutes. By year-end, more than 2,700 organizations had been compromised, with personal data on roughly 93 million individuals exposed. CISA estimated that 8,000+ entities globally were affected when downstream exposure was included.

The 2024 wave was a pair of authentication bypasses — CVE-2024-5805 and CVE-2024-5806, both eventually rated CVSS 9.1. The Shadowserver Foundation observed exploitation attempts within hours of disclosure. WatchTowr Labs published working proof-of-concept code the same day. The 2025 disclosure of CVE-2025-2324 hit the SFTP Shared Accounts module. And the 2026 advisory closed the loop: a CVSS 9.8 authentication bypass and a chained privilege-escalation flaw in MOVEit Automation, with Shodan identifying more than 1,440 internet-exposed instances at risk, including 16 connected to US state and local government.

A vendor has bad code from time to time. A category has bad architecture every time.

The Cross-Vendor Pattern That Proves It Is Architectural

If MOVEit were the only data point, the case would be circumstantial. It is not. Across the eighteen months from December 2024 to April 2026, four separate managed file transfer platforms shipped critical-severity vulnerabilities, each weaponized within a short window of public disclosure.

Cleo, December 2024. Cl0p mass-exploited a vulnerability chain in Cleo’s Harmony, VLTrader, and LexiCom products. More than 300 organizations were claimed as victims across transportation, manufacturing, and food supply chains.

CrushFTP, March 2025. An authentication bypass affecting CrushFTP servers was followed by a July 2025 disclosure that enabled full server takeover.

Wing FTP, July 2025. An unauthenticated remote code execution vulnerability via Lua injection produced root and SYSTEM-level privilege impact.

MOVEit, April 2026. The current advisory. No workaround. Full-installer upgrade required.

The Dragos 2026 OT/ICS Cybersecurity Report puts this pattern in operational context. ransomware affiliates throughout 2025 increasingly targeted engineering firms, OT-managed service providers, and ICS equipment vendors — exactly the customer base concentrated on legacy MFT platforms. Cl0p’s exploitation of Cleo MFT, CrushFTP, and later Oracle E-Business Suite, Dragos notes, demonstrated how a single vulnerability in widely-deployed file-transfer software can expose operational documents, engineering data, and vendor-customer integrations across hundreds of industrial organizations — even when the attacker never touches an OT network directly.

This is what category-level architectural risk looks like. The vendor name changes. The failure mode does not.

What 59% of Organizations Already Know From Experience

The most striking finding in Kiteworks Data Security and Compliance Risk: 2025 MFT Survey Report is that the MFT incident problem is not occasional, and it is not driven primarily by zero-days. Fifty-nine percent of organizations suffered an MFT-related security incident in the past year. Only 39 percent avoided incidents entirely.

The breakdown by automation maturity is even more telling. Organizations with less than 50 percent of file transfers automated through MFT reported a 71 percent incident rate. Organizations at 50-69 percent automation reported 61 percent. At 70-89 percent automation, the incident rate fell to 52 percent. And the 13 percent of organizations that achieved 90-100 percent end-to-end automation reported just 29 percent.

The 2025 MFT Survey Report frames the failures as three structural gaps. The first is an encryption gap: 76 percent of organizations encrypt MFT data in transit, but only 42 percent encrypt data at rest with AES-256. Government agencies encrypt just 8 percent of stored MFT data. Healthcare encrypts 11 percent. The data sitting in storage — the data attackers reach when an MFT vulnerability lands — is the data least protected.

The second is a visibility gap. Sixty-three percent of organizations have no SIEM or SOC integration with their MFT environment. Their security operations centers monitor network traffic and endpoint activity, but file transfers — often carrying the most sensitive data in the organization — operate in the dark.

The third is a complexity gap. Sixty-two percent of organizations run fragmented architectures across MFT, email, file sharing, and web forms. Each tool has its own policies, its own audit log, and its own configuration surface. Each gap between them is a place where evidence dissolves.

These are not exotic vulnerabilities. They are foundational controls that should have been baseline a decade ago.

Why the MFT Architecture Keeps Failing the Same Way

Four architectural properties define the legacy MFT category, and each one maps directly to a documented failure mode in the CVE record.

Internet-facing web application surface. Every legacy MFT platform requires a public web interface for partner access. That interface is the surface every disclosed SQL injection, every authentication bypass, every input-validation flaw has reached the platform through. It is also a surface that cannot be eliminated without breaking the product’s core function.

Customer-managed infrastructure. Legacy MFT platforms run on customer-hardened Windows Server, IIS, SQL Server, and customer-configured network controls. Security depends on the customer correctly hardening every component. Every misconfiguration is a potential CVE in the operating environment. Every patch cycle is the customer’s responsibility to coordinate.

No containment once inside. Once an attacker has remote code execution in a legacy MFT environment, nothing isolates the application tier from the database, the file store, or the cloud storage credentials. The blast radius is the platform. The 2023 Cl0p attack chain illustrated this with brutal clarity: SQL injection in the web tier exposed sysadmin tokens, a deserialization flaw converted the token to remote code execution, and a custom ASP.NET web shell named LEMURLOOT proxied exfiltration through custom HTTP headers. Nothing along that chain met meaningful tier-level resistance.

No-workaround patch cycle. Every disclosed MOVEit CVE has required a full-installer upgrade. Exploitation has been observed within hours of disclosure in multiple cases. The cycle compounds: the longer the platform stays in production, the more CVEs accumulate, and the harder it becomes to defend the decision to keep operating it.

Kiteworks Data Security and Compliance Risk: 2026 Forecast Report frames the broader category problem this way: legacy infrastructure cannot support modern data governance. Disaggregated file sharing and decades-old MFT solutions lack the security capabilities required to build containment controls, evidence-quality audit trails, or sovereignty assurance. The 2026 Forecast Report found that only 39 percent of organizations have unified data exchange with enforcement; 34 percent have partial coverage with gaps; 16 percent operate channel-specific solutions only; 11 percent have minimal or no governance at all.

Sixty-one percent of organizations are trying to build evidence-quality audit trails on top of fragmented infrastructure. The infrastructure cannot support what the regulator now expects.

What the Regulators Are Doing With the Pattern

Every MFT breach creates a regulatory record. And the regulators are getting better at reading those records.

The SEC opened a formal investigation of Progress Software on October 2, 2023, in the wake of the Cl0p MOVEit campaign. Under SEC Item 1.05, public companies must disclose material cybersecurity incidents on Form 8-K within four business days. That clock starts when the company concludes the incident is material — and post-Cl0p, the SEC has signaled clearly that delays in materiality assessment are themselves under scrutiny.

In healthcare, the Centers for Medicare and Medicaid Services reported the MOVEit-linked breach affecting 3.1 million individuals to the HHS Office for Civil Rights. The HIPAA Security Rule’s “reasonable safeguards” standard at 45 CFR §164.308 is the regulatory frame, and OCR penalties can reach $2.1 million annually per violation tier.

In the EU, GDPR Article 32 requires technical and organizational measures appropriate to the risk, and the NIS 2 Directive, in force since October 2024, layers on a 24-hour early-warning and 72-hour incident notification requirement. The UK ICO’s £14 million penalty against Capita in October 2025 cited Article 32 directly.

In Australia, the Privacy Amendment Act 2024 raised maximum civil penalties to AUD 50 million or 30 percent of adjusted turnover for serious or repeated interference with privacy. Office of the Australian Information Commissioner notifiable data breach reports rose 25 percent year-over-year in 2024.

The regulator’s question, after three critical MFT waves in three years, is not whether the breach was foreseeable. It is whether continuing to operate a platform with that disclosure record qualifies as a reasonable safeguard.

The Architectural Alternative

Swapping one legacy MFT product for another restarts the patch cycle clock without changing the underlying model. The architectural response is a different model.

Kiteworks consolidates data exchange — email, file sharing, SFTP, MFT, web forms, APIs, and AI integrations — onto a single hardened virtual appliance with one policy engine and one audit log. The appliance ships with an embedded network firewall, an embedded web application firewall, an embedded intrusion detection system, and a stripped-down operating system that Kiteworks maintains. Customers do not configure the OS. They do not manage the database. They do not patch the underlying stack separately. One-click full-system updates patch the entire appliance — application, runtime, OS, libraries — in a single coordinated operation.

Inside that appliance, a tiered architecture isolates the web tier from the database and the file store. A compromised application layer cannot directly query the database or derive file-level keys. Files at rest are protected by two independent encryption layers — file-level plus disk-level — using FIPS 140-3 validated cryptographic modules. TLS 1.3 protects data in transit. Optional customer-controlled key management is available for sovereignty-sensitive workloads.

The administrative model matters here too. In legacy MFT, the admin console is the operating system itself. Administrators have access to server code, the file system, and the ability to install applications. An attacker who reaches the admin console reaches everything. In the Kiteworks model, administrators have no access to the OS, file system, application code, or database. The admin console is a web interface with strict role-based access controls. Admin capabilities manipulate the system only via specific API calls. Administrators cannot install software on the appliance.

Defense in depth is not theoretical in this architecture. During the December 2021 Log4Shell event, the industry CVSS score for the underlying Log4j flaw was 10.0. Within the Kiteworks appliance, layered controls reduced the practical impact to CVSS 4.0 before the formal patch arrived. The next critical CVE will not announce itself. What determines the blast radius is the architecture in place when it lands.

What Organizations Operating Legacy MFT Should Do Now

First, patch immediately. If you operate MOVEit Automation, upgrade to 2025.1.5, 2025.0.9, or 2024.1.8 using the full installer. Progress confirms there is no workaround for CVE-2026-4670 or CVE-2026-5174. The same urgency applies to any legacy MFT environment that is still on a supported patch cadence — the disclosure-to-exploitation window has been measured in hours across multiple vendors.

Second, audit the gap. Kiteworks Data Security and Compliance Risk: 2025 MFT Survey Report found that 63 percent of organizations have no SIEM integration with their MFT, 58 percent do not encrypt MFT data at rest with AES-256, and 33 percent have not adopted attribute-based access control. Map your current MFT environment against those three controls before the next disclosure forces the conversation under pressure.

Third, inventory the channels. Most organizations exchange sensitive data through five to ten different tools — secure email, file sharing platforms, SFTP servers, MFT, web forms, APIs, and increasingly AI integrations. Kiteworks 2026 Forecast Report data shows that 61 percent of organizations have fragmented data exchange infrastructure, which means evidence-quality audit trails are not buildable on the current foundation. Inventory every channel where regulated data leaves your perimeter, then ask which ones share a policy engine and which ones do not.

Fourth, put architecture on the planning cycle. Migration off a legacy MFT platform is a real project with real timelines. The point is not to migrate in a quarter. The point is to put the architectural alternative on the next budget cycle, the next architecture review, or the next major MFT upgrade window — before the platform’s CVE record forces the conversation as an emergency. Kiteworks 2025 MFT Survey Report data shows that the 13 percent of organizations with 90-100 percent automation report less than half the incident rate of those still managing significant manual workflows. The investment in consolidation pays back inside one disclosure cycle.

Fifth, measure the right thing. Patch speed is not the metric. Blast radius is the metric. Two organizations hit by the same CVE produce different outcomes when one runs a hardened single-tenant appliance and the other runs a customer-managed web app on a flat trust boundary. According to Black Kite’s 2026 Third-Party Breach Report, the median third-party breach disclosure lag is 73 days. The architecture that limits exposure during those 73 days is what determines the regulatory and reputational outcome.

The MOVEit record is not a story about Progress Software. It is a story about a category of data exchange architecture that has reached the end of its defensible life under modern threat conditions. The next critical MFT vulnerability is already being discovered. What determines the headline you appear in is the platform model you chose before the disclosure landed.