Critical Security Alert: MOVEit Automation, April 2026

CData Arc

The MFT Breach Pattern Is Architectural. So Is Our Fix.

MOVEit Automation. MOVEit Transfer. GoAnywhere. Accellion. Each incident shares the same root cause: the management plane and the data plane exposed on the same host.

CData Arc’s Split-Plane Deployment removes the admin interface from the network perimeter entirely, eliminating an entire class of exploits at the architecture level, not the patch level.

MOVEit Automation Critical Security Alert: April 2026 Progress Software disclosed a critical vulnerability in MOVEit Automation enabling unauthenticated remote access. Organizations running MOVEit Automation should assess their exposure immediately.
Download Free Trial Talk to a Solutions Engineer
CData Arc MFT workflow designer with split-plane architecture

Why This Keeps Happening

MFT Breaches Follow a Predictable Script

The recurring pattern of MFT platform exploits isn’t bad luck. It’s the predictable consequence of architectures built before internet-facing deployment was the norm, then patched rather than redesigned.

April 2025: MOVEit Automation

Progress Software disclosed a critical vulnerability in MOVEit Automation allowing unauthenticated remote access. Organizations were advised to apply emergency patches immediately, or take systems offline.

A Pattern, Not an Incident

Accellion FTA (2021). GoAnywhere MFT (2023). MOVEit Transfer (2023). MOVEit Automation (2025). Each platform, each year, the same fundamental flaw exploited in a new product.

The Root Cause: Two Planes, One Exposure

Most MFT platforms conflate the data plane (what trading partners reach) with the management plane (your admin console and workflow engine). Exposing one means exposing both. Attackers know it.

Patches Treat Symptoms, Not the Architecture

Emergency patches fix the disclosed bug. They don’t change the fact that your management interface is internet-facing. The next CVE will find the same exposure, in a different endpoint.

The Fix Isn’t a Better Patch. It’s a Better Architecture.

CData Arc’s Split-Plane Deployment separates the management plane from the data plane at the architectural level, not just the network level. The admin console is never instantiated on the internet-facing host. It’s not hidden. It’s not firewalled. It’s architecturally absent.

Traditional MFT
One Host: Both Planes Exposed
  • SFTP server (internet-facing)
  • AS2 receiver (internet-facing)
  • Admin console (also internet-facing)
  • Workflow engine (also internet-facing)
  • Credential store (also internet-facing)
CData Arc: Split-Plane
Perimeter Host: Data Plane Only
  • SFTP server (internet-facing)
  • AS2 receiver (internet-facing)
  • AS4, OFTP endpoints (internet-facing)
  • Admin console: not present
  • Workflow engine: isolated internally
Management Plane Off the Internet

The admin console and workflow engine run on an internal host only. An authentication bypass in the admin interface can’t be exploited remotely if the interface has no network presence.

Data Plane Stays Accessible

Trading partners can still reach every protocol they need: SFTP, AS2, AS4, OFTP, webhook endpoints. The perimeter remains open exactly where it should be. Nowhere else.

DMZ Gateway for Extra Isolation

For organizations that require perimeter-facing components, Arc’s DMZ Gateway adds a second layer of network segmentation while keeping the core platform off the internet entirely.

Talk to a Solutions Engineer
CData Arc MFT and EDI workflow designer

Platform Capabilities

Everything MOVEit Does, and More, Built Securely.

CData Arc delivers the full MFT protocol stack your trading partners require, with EDI, application integration, and an architecture designed for internet-facing deployment from the ground up.

  • Split-Plane DeploymentManagement plane architecturally isolated from the data plane. Built in, not bolted on.
  • SFTP, FTPS, SCPFull managed file transfer over industry-standard protocols, Drummond Certified AS2 since 2004.
  • AS2, AS4, OFTP2Complete B2B transport layer for EDI and secure document exchange.
  • EDI TranslationX12, EDIFACT, HL7, HIPAA, and 50+ EDI standards natively. MOVEit doesn’t do this.
  • DMZ GatewayOptional perimeter relay for additional network segmentation without exposing the core engine.
  • ERP & CRM ConnectorsSAP, Dynamics, Salesforce, and 300+ connectors: move files directly into business systems.
  • Visual Workflow DesignerDrag-and-drop UI. No scripting required for standard MFT automation.
  • Role-Based Access & AD/SSOEnterprise access controls with Active Directory integration.
  • Audit Logs & Compliance ReportingComplete transaction history with tamper-evident logging for HIPAA, SOC 2, and PCI requirements.
  • High Availability & Zero-Downtime UpgradesPatch individual nodes without pulling the environment offline: no emergency maintenance windows.

Evaluating Your Options

What to Ask Any MFT Vendor About Security Architecture

These are the questions that separate architectural security from compensating controls, before the next CVE surfaces.

  1. 1
    Can the management plane be completely separated from the data plane?

    Not just protected: separated. Is there a deployment mode where the admin interface is architecturally absent from the internet-facing host, or does every deployment expose some management surface to the network?

  2. 2
    Is the separation architectural or only network-level?

    A firewall rule or DMZ proxy is a network-level control. Valuable, but brittle. Architectural separation means the management plane components don’t run on the perimeter host at all. There’s no endpoint to exploit.

  3. 3
    What does patching require?

    When a critical vulnerability is disclosed, can you patch the management plane without taking down file transfer? Platforms with flexible deployment models support zero-downtime upgrades. Monolithic deployments require an emergency maintenance window, under active threat pressure.

  4. 4
    Where have vulnerabilities historically appeared?

    Not all CVEs are equal. A vulnerability in the core authentication or transfer logic tells you something about where the vendor’s engineering attention has been focused, and where it hasn’t. Review the CVE history, not just the marketing.

  5. 5
    Move from MOVEit to CData Arc

    Arc installs on your existing Windows Server infrastructure. Recreate your MOVEit trading partner connections and automations in Arc’s visual designer, run in parallel to validate, then cut over. Most teams complete the transition in days, not months.

Assess Your Architecture Now

Our solutions engineers can walk through your current MOVEit deployment, explain where the exposure surfaces are, and show you how Arc’s Split-Plane Deployment addresses the threat model. No sales pressure.

Talk to a Solutions Engineer Download Free Trial

Why Organizations Choose Arc Over MOVEit

  • Management plane architecturally off the internet
  • Zero-downtime patching: update nodes independently
  • Full EDI translation included (MOVEit is MFT only)
  • 300+ ERP, CRM, and database connectors
  • Flat-rate pricing: no per-partner or per-volume fees

Side by Side

MOVEit Automation vs. CData Arc

Security architecture, capabilities, and operational risk: compared.

Capability MOVEit Automation CData Arc
Management plane internet exposure Internet-facing by default Architecturally isolated
Split-Plane Deployment Not supported Built-in, first-class
DMZ Gateway Limited network proxy Native, isolated relay
Zero-downtime patching Requires full outage Node-by-node updates
SFTP / FTPS server Yes Yes
AS2 (Drummond Certified) Basic support 30+ consecutive certifications
AS4 / OFTP2 Not included Full support
EDI translation (X12, EDIFACT, HL7) Not included 50+ standards, native
ERP & CRM connectors Not included 300+ connectors
Visual low-code workflow designer Script-heavy configuration Drag-and-drop UI
Flat-rate / predictable pricing Per-volume, per-user tiers Flat annual fee available
On-premises deployment Yes Yes

Organizations Trust CData Arc to Run Their Most Sensitive File Transfers


Tangentia Migrates Clients from IBM Sterling B2B Integrator to CData Arc

“Typically, onboarding a new client using Sterling Integrator would take four to five months. Now with CData Arc, we were able to migrate all 11 existing projects in just about four months, and new clients take less than two months to onboard.”

— Rushabh Dharwadkar
B2B Technical Lead, Tangentia


Read case study
Tangentia logo

P&G Uses CData Arc to Improve Data Security, Syncing, and Accuracy

“We have gained a lot of revenue by increasing the accuracy of our trading partner orders. We are also looking for new breakthroughs in the process of working with new trading partners. Most importantly, for the information sent to customers, we are more confident.”

— Milan Turk
Managing Director, P&G Global Customer eCommerce


Read case study
P&G logo

ChannelApe Embeds CData Arc, Enables Customer EDI and MFT

“CData Arc has helped our business focus on solving the core problems of D2C supply chains rather than rebuilding proprietary connections for EDI and MFT.”

— Michael Averto
CEO, ChannelApe


Read case study
ChannelApe logo

Evaluating a migration?

Here’s what we bring to that conversation:

01

A walkthrough of Split-Plane Deployment mapped to your specific deployment topology

02

Flat-rate pricing you can model directly against your current MOVEit spend

03

A migration guide for teams moving off MOVEit

Migration has a cost. So does the status quo, and the status quo just sent you a very specific invoice.

Stop Patching the Symptom. Fix the Architecture.

Try CData Arc free. Deploy on your own infrastructure with Split-Plane security built in.

Download Free Trial Talk to a Solutions Engineer