Security Bulletin for Biscom Secure File Transfer (SFT) – BIS-SFT-CV-009
A security flaw has been found in Biscom Secure File Transfer server that can allow Remote Code Execution (RCE) on the server.
The severity of this issue is considered Critical. The exploitability is limited by the fact that an attacker would need to have a thorough understanding of the application and implementation or to have been able to observe unencrypted traffic to discover this exploit.
The following versions are affected:
- All versions of SFT 5 through 5.1.1070
- 6.0.1000 through 6.0.1004
The fixed versions are:
- SFT 5.1.1071 and later
- SFT 6.0.1005 and later
It is recommended that all affected versions of SFT be upgraded immediately.
This document will be updated to include the specifics of the exploit 90 days after publication to ensure all customers of SFT have been notified and had a chance to upgrade.
The vulnerability involved exploiting a flaw in a common library used by the application. The fix was to have the SFT application code directly handle the function that was previously handled by the library.