In 2023, the MOVEit file transfer software breach made headlines as one of the most widespread third-party attacks in recent history. Fast forward to 2025, and we're seeing a resurgence: renewed vulnerabilities, follow-on attacks, and the long tail of exposure that has continued to impact both public and private sector organizations.
The latest iteration of the MOVEit breach is a wake-up call. Not just about patching software, but about how organizations evaluate, monitor, and secure their entire third-party ecosystem.
The Scope of the Breach
While details are still unfolding, this most recent breach affected dozens of companies, some of which had implemented basic security protocols, but had limited visibility into how third-party vendors handled data or applied updates. The breach once again exploited a vulnerability in the MOVEit platform, this time using more sophisticated payload delivery mechanisms that evaded endpoint detection in several cases.
Why It Matters in 2025
We’ve spent the past two years hearing that “supply chain risk” is a board-level issue, and yet, many organizations still treat it as a procurement concern, not a security one. The MOVEit breach highlights four key gaps:
- Assumed Security Isn’t Real Security
Too many vendor reviews stop at a questionnaire or a one-time SOC 2 report. Real assurance requires continuous validation, especially for tools handling sensitive data in transit. - Patch Management Isn't Just Internal
Vendors often delay critical patches, leaving customers unknowingly exposed. Organizations must implement SLAs and response-time expectations around patching and updates for key tools. - Data Exposure Extends Further Than You Think
Many victims of the breach didn’t even know MOVEit was in use, because it was used by a vendor’s vendor. Third-party risk now includes your fourth and fifth parties, too. - Security Isn’t Delegated, It’s Shared
Handing off a process doesn’t hand off the risk. The responsibility to assess, monitor, and mitigate third-party risk ultimately stays with the organization, no matter who’s handling the data.
What You Can Do Now
At Framework Security, we’re helping clients revisit their entire third-party risk strategy. That includes:
- Building live risk registers tied to vendors, with real-time tracking of access levels, data types, and security posture.
- Implementing third-party monitoring tools and breach alerting integrations.
- Running scenario-based tabletop exercises that incorporate vendor compromise and downstream impact.
- Offering contractual advisory around risk allocation, audit rights, and breach response expectations.
The MOVEit breach is a symptom of a deeper issue: organizations outsourcing functionality without retaining control or visibility. In 2025, that’s no longer acceptable. Your third-party risk is your risk. Make sure your security posture reflects that.
Need help navigating vendor risk or building a third-party strategy that works in today’s threat landscape? Let’s talk.
