CVE-2021-27104
CVE-2021-27104 is a critical-severity vulnerability in Accellion Fta with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-78.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 57% (99th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2021-11-03)
- EU (EUVD) id: EUVD-2021-13874
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2021-11-03)
- Weakness: CWE-78
- Affected product: Accellion Fta
- Published:
- Last modified:
Description
Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later.
CVE-2021-27104: Critical OS Command Injection in Accellion FTA
AI-generated analysis based on the vulnerability data on this page.
Summary
CVE-2021-27104 is a critical OS command injection vulnerability in Accellion's File Transfer Appliance (FTA). An unauthenticated remote attacker can submit a crafted POST request to specific administrative endpoints and execute arbitrary commands on the underlying operating system. The vulnerability carries a CVSS v3.1 score of 9.8 (Critical) and has been actively exploited in the wild since late 2021.
Background
Accellion FTA is a legacy file-transfer appliance that organizations historically deployed to exchange large files and sensitive documents with external parties. While Accellion has since transitioned customers to its newer Kiteworks platform, numerous FTA instances remained in production at the time this flaw was disclosed. Because these appliances typically sit at the network perimeter and handle confidential data, they represent a high-value target for threat actors seeking initial access or data exfiltration.
Root Cause
The underlying weakness is CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). Several administrative endpoints in FTA do not adequately sanitize user-supplied input before passing it to underlying shell commands. When an attacker sends a crafted POST request containing shell metacharacters, the application interprets the payload as part of the command string rather than as data, leading to arbitrary code execution with the privileges of the web server process.
Impact
The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which translates to a base score of 9.8 (Critical).
- Attack Vector (AV): Network — The appliance is remotely reachable without physical or local network presence.
- Attack Complexity (AC): Low — No special conditions are required beyond crafting a malicious POST request.
- Privileges Required (PR): None — Authentication is not necessary.
- User Interaction (UI): None — No victim action is needed.
- Scope (S): Unchanged — The vulnerable component is the only one impacted.
- Confidentiality (C): High — Complete access to files and configuration data on the appliance.
- Integrity (I): High — Attackers can modify files, configurations, or install persistent backdoors.
- Availability (A): High — The appliance can be shut down or rendered inoperable.
Given that FTA appliances often store or proxy sensitive organizational data, successful exploitation can lead to full network compromise, data theft, and ransomware deployment.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive purposes only. No working exploit code is included, and the information is already publicly documented by the vendor and CISA.
The vulnerability is triggered by sending a maliciously crafted POST request to one of the affected administrative endpoints. The request includes shell metacharacters in fields that the application later concatenates into an operating-system command. Because the input is not properly escaped, the operating system executes the attacker-controlled payload.
From a defensive standpoint, exploitation generally follows this pattern:
- Reconnaissance — The attacker identifies an internet-facing Accellion FTA appliance, often through certificate transparency logs, Shodan, or Censys queries.
- Endpoint enumeration — The attacker probes known administrative URI paths to confirm the appliance version and identify vulnerable endpoints.
- Injection — A POST request is constructed with OS command syntax embedded in one or more parameters.
- Execution — The appliance's web server process executes the injected command, granting the attacker a shell or equivalent capability on the host.
- Post-exploitation — With operating-system access, the attacker may extract credentials, pivot to internal networks, or deploy additional tooling.
Defenders should assume that any unpatched FTA instance exposed to the internet has already been scanned and potentially compromised.
Affected and Patched Versions
- Affected: Accellion FTA version 9_12_370 and all earlier versions
- Patched: Accellion FTA version 9_12_380 and later
Accellion released FTA_9_12_380 to remediate this flaw. Organizations still running FTA are strongly urged to migrate to the Kiteworks platform, as FTA has reached end-of-life status.
Remediation
- Upgrade immediately — Apply Accellion FTA version 9_12_380 or later. If your organization is still on FTA, treat migration to Kiteworks as a high-priority initiative.
- Network segmentation — Restrict inbound access to FTA administrative interfaces to a dedicated jump host or management network. Do not expose these endpoints to the open internet.
- Web Application Firewall (WAF) — Deploy a WAF rule set that blocks POST requests containing common shell metacharacters and command-execution patterns directed at FTA endpoints. This is a compensating control, not a substitute for patching.
- Credential rotation — If the appliance was internet-facing and unpatched, rotate all credentials stored on or accessible through the FTA host, including API keys, service accounts, and domain credentials cached by the appliance.
- Forensic review — Engage incident-response teams to review logs for suspicious POST requests, unexpected process executions, or unauthorized file access.
Detection
- Network logs — Monitor for HTTP POST requests to FTA administrative paths that contain shell metacharacters such as semicolons, backticks, pipe symbols, or command substitution syntax.
- Endpoint detection — Alert on anomalous process spawning by the FTA web server process (for example, unexpected
/bin/sh,curl,wget, orpythonchild processes). - File integrity monitoring — Trigger alerts when critical FTA web application files or configuration files are modified outside of approved change windows.
- CISA guidance — Review CISA's Known Exploited Vulnerabilities catalog entry for CVE-2021-27104 for additional indicators of compromise and detection recommendations.
Assessment
CVE-2021-27104 is a textbook example of a critical command-injection flaw in a perimeter appliance. Its EPSS score of 0.56686 (approximately 56.7% probability of exploitation within 30 days) and 0.98944 percentile place it among the most dangerous publicly disclosed vulnerabilities. The fact that CISA added it to the Known Exploited Vulnerabilities catalog on 2021-11-03 — and that the European Union simultaneously flagged it as actively exploited — confirms that threat groups have weaponized this flaw at scale.
Key lessons:
- Input validation is non-negotiable for admin endpoints. Even interfaces intended for privileged users must treat all external input as untrusted and sanitize it before any OS interaction.
- Perimeter appliances require aggressive lifecycle management. Because they sit on the edge of the network and handle sensitive data, any vulnerability in a file-transfer appliance can rapidly escalate from a single-host issue to an enterprise-wide breach.
References
Frequently asked questions
- What is CVE-2021-27104?
- Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later.
- How severe is CVE-2021-27104?
- CVE-2021-27104 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-27104 being actively exploited?
- Yes. CVE-2021-27104 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-27104?
- CVE-2021-27104 affects Accellion Fta. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-27104?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-27104 have an EU (EUVD) identifier?
- Yes. CVE-2021-27104 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-13874. It is also flagged as exploited in the EUVD (since 2021-11-03).
- When was CVE-2021-27104 published?
- CVE-2021-27104 was published on 2021-02-16 and last updated on 2026-06-17.
References
- https://github.com/accellion/CVEs/blob/main/CVE-2021-27104.txt
- https://www.accellion.com/products/fta/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27104
Affected products (1)
- cpe:2.3:a:accellion:fta:*:*:*:*:*:*:*:*
More vulnerabilities in Accellion Fta
- CVE-2021-27730 — Critical (CVSS 9.8): Accellion FTA 9_12_432 and earlier is affected by argument injection via a crafted POST request to an admin endpoint.…
- CVE-2021-27103 — Critical (CVSS 9.8): Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed…
- CVE-2021-27101 — Critical (CVSS 9.8): Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to…
- CVE-2021-27102 — High (CVSS 7.8): Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call. The fixed version…
- CVE-2021-27731 — Medium (CVSS 6.1): Accellion FTA 9_12_432 and earlier is affected by stored XSS via a crafted POST request to a user endpoint. The fixed…
All CVEs affecting Accellion Fta →
Other CWE-78 (OS Command Injection) vulnerabilities
- CVE-2026-56004 — Critical (CVSS 10.0): A shellcode injection in the mercurial handler of the obs tar_scm source service before version 0.12.4 could be used by…
- CVE-2026-56415 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is…
- CVE-2026-56413 — Critical (CVSS 10.0): Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens…
- CVE-2026-49869 — Critical (CVSS 10.0): Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in…
- CVE-2026-49261 — Critical (CVSS 10.0): MariaDB server is a community developed fork of MySQL server. Versions 10.6.1 through 10.6.26, 10.11.1 through…
- CVE-2026-10520 — Critical (CVSS 10.0): An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a…