A security flaw has been found in Biscom Secure File Transfer server that can allow Remote Code Execution (RCE) on the server.
The fixed versions are:
- SFT 5.1.1074 and later
- SFT 6.0.1006 and later
It is recommended that all affected versions of SFT be upgraded immediately.
This document will be updated to include the specifics of the exploit 90 days after publication to ensure all customers of SFT have been notified and had a chance to upgrade.
The vulnerability involved exploiting a flaw in a common library used by the application. The fix was to have the SFT application code directly handle the function that was previously handled by the library.