A security flaw has been found in Biscom Secure File Transfer server that can allow Remote Code Execution (RCE) on the server. 

The fixed versions are: 

  • SFT 5.1.1074 and later 
  • SFT 6.0.1006 and later 

It is recommended that all affected versions of SFT be upgraded immediately. 

Issue summary:  

This document will be updated to include the specifics of the exploit 90 days after publication to ensure all customers of SFT have been notified and had a chance to upgrade. 

Fix details: 

The vulnerability involved exploiting a flaw in a common library used by the application. The fix was to have the SFT application code directly handle the function that was previously handled by the library.