pattern·published·1 exhibit

MFT as Primary Target

Managed file transfer products carry the payload and the trust. Now carry the breaches.

Attackers picked a target class and stuck with it. Since roughly 2023, managed file transfer products have produced a continuous stream of in-wild zero-days, mass exploitation campaigns, and multi-customer breaches. The list is short and familiar: MOVEit, Cleo, GoAnywhere, CrushFTP, Progress WS_FTP. Each product's incident is different. The pattern across them is identical. Attackers invest against this category, year after year, because the category pays.

The investment decision is not mysterious. MFT products have a specific shape that makes them structurally attractive, and the industry's trust model around them has not caught up. This pattern names the shape so defenders can see why their MFT product is being attacked not despite being a file transfer tool, but BECAUSE of it.

Mechanism

MFT products occupy a specific position in enterprise architecture. They sit on the public internet by design, because their job is to accept files from partners, vendors, customers, and other external parties. They authenticate to internal systems with durable service accounts, because their job is to deliver those files into business-critical workflows. They hold sensitive data in transit and at rest, because the files they carry are, by definition, the files worth moving over a formal transfer product.

Three properties compose into the attack shape. First, direct internet reach: the product is always there, always listening, always one scan away from any attacker building a target list. Second, high-trust internal access: the service account the MFT runs under can read and write to the destinations it delivers to, which is often a lot of places in the customer's environment. Third, data adjacency: the files being transferred are the ones customers pay money to move, which tends to be the ones with personnel data, financial records, healthcare information, or operational secrets.

Attackers pick MFT over other products because the ratio of reach to payoff is unusually high. A single working exploit against one MFT product instance unlocks file-level access to whatever that instance was processing, across whoever that instance served. In a managed-services configuration, one vendor's exploit fans out to every customer that vendor hosts. The 2023 MOVEit campaign remains the reference incident for this multiplier, but the pattern persists across the product category.

The design-level reason each incident keeps happening is covered in Design Debt Driver. MFT products tend to have decades-old codebases with parsing layers, authentication grafted on after the fact, and administrative interfaces exposed on the same ports as the data interface. The specific CVEs rhyme. The category selection is the strategic layer; the implementation-level bugs are the tactical layer.

Exhibits

CrushFTP CVE-2025-31161: MFT Is the Target Now. CrushFTP's pre-auth RCE continued the MFT category trajectory. The exploit reduces to a request path that reaches a sensitive operation without authentication. The exploitation predated the public advisory by weeks, with incident response firms seeing the same entry point across unrelated customers before the vendor's disclosure landed. The post names the specific pattern this incident inherits from MOVEit: pre-auth write reaching an execution path in a product whose job is accepting writes.

Exhibits

CrushFTP CVE-2025-31161: MFT Is the Target Now. CrushFTP's pre-auth RCE continued the MFT category trajectory. The exploit reduces to a request path that reaches a sensitive operation without authentication. Exploitation predated the public advisory by weeks, with incident response firms seeing the same entry point across unrelated customers before the vendor's disclosure landed. The post names the specific pattern this incident inherits from MOVEit: pre-auth write reaching an execution path in a product whose job is accepting writes.

Boundaries

Not every enterprise product with a CVE. The pattern describes MFT products specifically. Identity brokers, edge appliances, VPN products have their own dynamics and their own patterns (see Disclosure After Exploitation for the overlapping vendor-side behavior). What makes MFT particular is the composition of direct internet reach, privileged internal access, and data adjacency.

Not every file transfer product. Purpose-built secure file transfer that is isolated from internal systems, with narrow IAM, limited data retention, and strict network egress, does not fit the pattern. The pattern is about the common deployment: a long-running product with broad authority, accepting files from the internet, integrated into business workflows. That is the profile attackers target.

Not every MFT incident. A misconfigured customer deployment that exposes data without a product CVE is ordinary operational failure, not this pattern. The pattern specifically describes vulnerabilities IN the MFT product, exploited against multiple customers through the product's intended entry points.

Defender playbook

If your stack includes an MFT product, treat it as a tier-1 target independent of the specific product. The CVE stream in this category is continuous. The next advisory is inventory, not exception. Staffing, monitoring, and response cadence should reflect that the product will produce a weaponized RCE on a recurring schedule measured in months.

Segment MFT aggressively. The product's job is to accept files from the outside and deliver to the inside. The segmentation should limit what "the inside" means for this product. Dedicated VLANs, minimal service-account privilege, no lateral reach to credential stores or admin interfaces. If the product is compromised, the blast radius should stop at the files it was moving, not at the customer's crown jewels.

Watch the vendor-side revocation-gap signals. MFT advisories frequently follow active exploitation. The in-wild-to-public window is often days to weeks. Threat intelligence that names specific MFT products under attack should trigger your response clock, whether or not the vendor has published a CVE. Waiting for the CVE is waiting for your own incident report.

Audit which of your customers' data flows through the MFT. If the product is compromised, the customers whose data was in-transit or at-rest during the window need notification and, where applicable, rotation of credentials that moved through it. Many organizations discover after an MFT incident that they had no inventory of which files were there, which delays response for every affected customer by the time it takes to reconstruct the log.

Consider the product category a temporary architecture, not a durable one. Some organizations have moved MFT workloads off long-running internet-facing appliances and onto short-lived, per-transfer infrastructure. The tradeoff is operational, not trivial. For programs that cannot absorb the continuing incident cost of staying on long-running MFT, the migration is the real defense.

Kinship

Design Debt Driver. The underlying mechanism at the implementation level. MFT products keep producing CVEs of the same classes because their architectures hold those primitives. Mft-as-primary-target is the strategic frame: attackers choosing this product category because of design debt across the category. Design-debt-driver is the per-product explanation of why the specific CVEs keep arriving.

Unauth Write To Execution Path. Recurring specific CVE shape in this product category. MFT's architectural purpose includes accepting writes without authentication (for partner-facing endpoints) and running code in the same filesystem tree (for processing workflows). The two paths overlap more often than they should. The unauth-write-to-execution-path pattern appears repeatedly inside mft-as-primary-target incidents.

Disclosure After Exploitation. Vendor-side consequence. MFT incidents land on the defender's radar through in-wild exploitation rather than research channels, because the attackers are watching this category as continuously as the vendors are maintaining it, and often with more engineering resources aimed at it.

MFT is not the attack surface despite being a file transfer tool. MFT is the attack surface because it is a file transfer tool.