Notice:
A security flaw has been found in Biscom Secure File Transfer server that can allow Remote Code Execution (RCE) on the server.
The fixed versions are:
- SFT 5.1.1074 and later
- SFT 6.0.1006 and later
It is recommended that all affected versions of SFT be upgraded immediately.
Issue summary:
This document will be updated to include the specifics of the exploit 90 days after publication to ensure all customers of SFT have been notified and had a chance to upgrade.
Fix details:
The vulnerability involved exploiting a flaw in a common library used by the application. The fix was to have the SFT application code directly handle the function that was previously handled by the library.