Flaws in how the Web Admin interface handled session tokens allowed attackers to forge administrative credentials.
Understanding the history of Globalscape vulnerabilities helps administrators recognize the patterns of exploit chains and the necessity of immediate patching. 1. The Ad-Hoc Message Center RCE (CVE-2021-3739)
→ You can jump directly to it without intermediate patches. globalscape terms patched
Restrict Globalscape administrative access to specific internal IP addresses.
If you run Globalscape EFT in a clustered Active-Active configuration, use a rolling upgrade strategy to prevent downtime: Remove Node B from the load balancer routing pool. Stop the EFT server service on Node B. Apply the security patch/upgrade installer on Node B. Flaws in how the Web Admin interface handled
Crucially, this means that not every security-related fix arrives via a separate patch. Some are bundled into the next major release, which may include general bug fixes and feature enhancements alongside security improvements.
A patched application running on a vulnerable operating system is still at risk. Ensure the underlying Windows OS has all the latest security patches installed, especially for broad vulnerabilities like Meltdown and Spectre, which affect the hardware and OS, not the EFT software itself. The principle of running a "single role" server—where only your EFT software is installed—further reduces the attack surface. The Ad-Hoc Message Center RCE (CVE-2021-3739) → You
Globalscape distributes security patches through multiple channels depending on urgency and customer circumstances:
Provided directly to specific clients experiencing isolated, low-scoring flaws. These targeted hotfixes are eventually compiled into the next public maintenance build or major software version release. General Product Lifecycles and EOL Maintenance