The vulnerability “zombie bite”: What if your vendor is patient zero?

How vendor architecture can cause outbreaks and what CISOs must ask

In every zombie apocalypse film, there’s that scene. A trusted survivor begins acting strangely, hiding their arm and insisting, “No, I’m fine.” The group faces a critical choice: trust the reassurances…or investigate the possibility of a hidden bite that could doom them all.

In cybersecurity, a vendor’s undisclosed or delayed vulnerability management is no different. It’s a festering threat that, if left unaddressed, will inevitably turn into a major event, threatening not just one system but the entire enterprise ecosystem in which it operates. Unfortunately, this issue has been seen in the managed file transfer (MFT) industry several times since 2020, with the Kiteworks Data Security and Compliance Risk 2025 MFT Survey Report finding that an alarming 59% of organizations suffered an MFT vulnerability or a related security incident in just the past year. 

A recent, critical 10.0 CVSS-rated deserialization vulnerability (CVE-2025-10035) in a managed file transfer solution has brought this chilling analogy into sharp focus, forcing a hard look at how we evaluate the security and resilience of our software partners.

The vulnerability window and spreading infection

This MFT vulnerability was a perfect case study of a vendor’s architecture becoming a weapon for attackers, actively exploited in the wild as a zero-day vulnerability that eventually resulted in ransomware deployment.

For any organization, the most dangerous period is the “vulnerability window,” which is the time between the first attack, the availability of a patch and its subsequent remediation. In this case, security researchers observed active exploitation at least a week before a patch or public warning was issued. This created a seven-day gap where organizations were being actively compromised without any available defense, a hidden zombie bite unknowingly putting customers at risk.

More troubling, though, is that this wasn’t a new, novel exploit. The MFT vulnerability was a near-perfect echo of a flaw two years prior that was exploited by ransomware, located in the exact same administrative component: a license-processing servlet. This allowed the threat actors to use a command injection or remote code execution to deploy ransomware, marking the second time this vendor has been exploited on a zero-day vulnerability. This pattern points to possible architectural debt, resulting in a persistent and severe security liability that is repeatedly paid for by customers.

The evolving threat

Vendor assurances alone are no longer a sufficient security strategy. The threat landscape is evolving, and attackers are growing more sophisticated, leveraging vendor-created weaknesses as their primary entry points. The burden of remediation repeatedly falls on the customer, requiring both the vendor and the customer to work together in order to eliminate the risk of exploitation. The 2025 Verizon Data Breach Investigations Report (DBIR) paints a stark picture in its findings:

• Exploitation of vulnerabilities has seen another year of growth as an initial access vector, now accounting for 20% of breaches and approaching the frequency of credential abuse. In MFT alone, there have been over five confirmed ransomware incidents since 2020, all of which were deployed through an MFT vulnerability.
• The DBIR highlights that attacks targeting edge devices and VPNs grew almost eightfold from the previous year, accounting for 22% of vulnerability exploitations. These internet-facing assets are the new front line, and a flaw in one can provide a direct path into your network.
• Most critically, third-party involvement in breaches has doubled, rising from 15% to 30% in just one year. This statistic confirms that your vendors’ security posture is now an integral part of your own, and how an MFT vulnerability can impact your entire network.

The Kiteworks Data Security and Compliance Risk 2025 MFT Survey Report goes further, uncovering the fundamental gaps in file transfer:

• The Encryption Gap: While 76% of organizations encrypt data in transit, only 42% use AES-256 for data at rest, leaving files vulnerable in storage where attackers often strike.
• The Visibility Gap: 63% of organizations have not connected their MFT systems to security monitoring tools, such as an SIEM, meaning their security teams are operating with a massive blind spot. This could allow an MFT vulnerability to go undetected until threat actors begin exploiting it.
• The Complexity Gap: 62% operate separate, fragmented systems for different data exchange functions, creating inconsistencies and vulnerabilities that attackers exploit.

It’s clear then, given the expanding attack surface for threat actors and the increasing complexity in enterprise software, that relying on a vendor’s promise to patch is like hoping your friend will tell you about their zombie bite after they find a cure. A proactive cybersecurity defense requires an architecture that is resilient by design, not just reactive in its response.

Building the right vendor team: A CISO’s guide to vendor due diligence

Effective vendor vetting, especially for MFT solutions or those with connections outside your organization, requires security leaders to look beyond mere feature lists and performance metrics. You must dissect their architecture and business practices to expose hidden cybersecurity risks, like the MFT vulnerability mentioned above. Here are the critical areas to inspect and the questions you should be asking to protect your environment and reduce the risk of exploitation and ransomware.

1. Mandate management plane isolation

During any procurement or contract renewal, make the architectural separation of management and data planes a non-negotiable requirement. The administrative functions — licensing, configuration and monitoring — are a “shadow attack surface” that are often more vulnerable than the data services they control.

• Ask: How does your solution, by default, prevent any direct network path from the public internet to administrative consoles, APIs or services?
• Look for: An architecture that uses a reverse proxy model, such as a purpose-built MFT gateway in the DMZ, should be considered the baseline standard for security. This design physically and logically isolates the high-privilege management plane, making it inaccessible to external attackers.

2. A Field CTO’s Take: Scrutinize the EULA for possible security traps to expose the “double whammy” in license agreements

Ryan Wood, Field CTO at Redwood Software and a file transfer expert, dives deeper into the risks of licensing and customer architecture. 

“Treat all vendor legal documents, particularly the End-User License Agreement (EULA) and License Information (LI) documents, as critical security artifacts. Business policies often dictate a customer’s deployed architecture, sometimes creating vulnerable attack surfaces unintentionally by design.

This is a “double whammy” risk I see constantly:

• The first whammy? Security. The vendor mandates that you run a specific component for administrative tasks. CVE-2025-10035 is the perfect example: the flaw was in the License Servlet, a component required for the business function of licensing. Similarly, the IBM Aspera breach (CVE-2022-47986) was in an administrative API endpoint. In both cases, a non-core, administrative “helper” service became the unlocked front door for a catastrophic breach.
  
• The second whammy? Compliance. You must look at why these components exist. Scrutinize your EULA and licensing docs. Do they require you to install agents to report on sub-capacity usage? Do they mandate that your on-premises system must communicate with the vendor’s cloud for telemetry or audit purposes?”

It’s clear then, that these clauses create a vendor-mandated architectural dependency that is both a prime security target and a data sovereignty liability.

• Ask:
  • “Can you show me the exact clause in your EULA that describes your license validation and audit process?”
  • “What specific on-premise components, agents or servlets are required to fulfill this? What network access do they require?”
  • “What data (even if it’s just system metadata) is being sent from my network to your cloud, and how are you securing that channel?”
• Look for: Clauses that require vendor agents or internet-facing services for license validation or telemetry. These are the exact components that become liabilities, as the 10.0 CVSS-rated MFT vulnerability proved. You are being forced to accept an architectural risk and a compliance risk simultaneously.
  

3. Apply zero-trust principles to the entire management plane

You can better protect yourself from a zero-day vulnerability by leveraging zero-trust principles. Extend zero-trust principles beyond user access and apply them to all system components. Every administrative function — licensing, software updates, diagnostics and backup agents — must be treated as a potential threat vector and a backdoor for attackers. 

• Ask: How are your administrative “helper” services segmented and controlled? Do they run with elevated privileges, and can they communicate outbound without restriction?
• Look for: A vendor philosophy that subjects these “benign” internal services to the same strict network segmentation, least-privilege access controls and intensive monitoring as any public-facing application.
  

4. Demand radical transparency and rapid response

A vendor’s performance during a security incident is a direct reflection of their trustworthiness. The “vulnerability window” is an unacceptable risk, and ambiguity in vendor communication is a risk multiplier that delays customer response.

• Ask: What are your contractual SLAs for vulnerability notification and patch delivery, especially when a flaw is being actively exploited?
  
• Look for: A demonstrated history of timely, transparent and unambiguous communication. Challenge vendors on their disclosure policies and demand a contractual commitment to rapid response.

In the fight for your organization’s survival, you wouldn’t choose a partner that may hide a potential infection like ransomware or an MFT vulnerability. Today’s threats demand a security partner — not just a software vendor.

True resilience is built on a foundation of trust and a proven commitment to security-first design. For teams struggling to find security-conscious partners for workload automation or managed file transfer, it’s worth considering vendors with a long history of architectural integrity. For over 30 years, Redwood Software has been a trusted leader in automation, with its JSCAPE MFT solution providing secure file transfer for more than 26 of those years. This long-standing commitment reflects an approach that prioritizes resilience by design, helping organizations build a more secure foundation for their most critical data exchanges from the very start.

Citations:

1. Verizon Business. “2025 Data Breach Investigations Report.” 2025. https://www.verizon.com/business/resources/reports/dbir/.
2. Kiteworks. “Kiteworks Data Security and Compliance Risk: 2025 MFT Survey Report.” October 2025. https://www.kiteworks.com/sites/default/files/resources/data-security-compliance-risk-2025-mft-report.pdf.
3. Microsoft Threat Intelligence. “Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability.” Microsoft Security Blog, October 6, 2025. https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/.
4. Fortra Security and Trust Center. “Deserialization Vulnerability in GoAnywhere MFT’s License Servlet.” September 2025. https://www.fortra.com/security/advisories/product-security/fi-2025-012.
5. Fortra. “Summary of the Investigation Related to CVE-2025-10035.” October 2025. https://www.goanywhere.com/blog/summary-investigation-related-cve-2025-10035.
6. Fortra. “Summary of the Investigation Related to CVE-2023-0669.” April 2023. https://www.fortra.com/blog/summary-investigation-related-cve-2023-0669.
7. Rapid7. “Exploitation of GoAnywhere MFT zero-day vulnerability.” February 2023. https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-zero-day-vulnerability/.
8. National Institute of Standards and Technology. “CVE-2025-10035 Detail.” National Vulnerability Database. https://nvd.nist.gov/vuln/detail/CVE-2025-10035.