CVE-2021-27104

CVE-2021-27104 is a critical-severity vulnerability in Accellion Fta with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2021-11-03). The underlying weakness is classified as CWE-78.

Key facts

Description

Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later.

CVE-2021-27104: Critical OS Command Injection in Accellion FTA

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2021-27104 is a critical OS command injection vulnerability in Accellion's File Transfer Appliance (FTA). An unauthenticated remote attacker can submit a crafted POST request to specific administrative endpoints and execute arbitrary commands on the underlying operating system. The vulnerability carries a CVSS v3.1 score of 9.8 (Critical) and has been actively exploited in the wild since late 2021.

Background

Accellion FTA is a legacy file-transfer appliance that organizations historically deployed to exchange large files and sensitive documents with external parties. While Accellion has since transitioned customers to its newer Kiteworks platform, numerous FTA instances remained in production at the time this flaw was disclosed. Because these appliances typically sit at the network perimeter and handle confidential data, they represent a high-value target for threat actors seeking initial access or data exfiltration.

Root Cause

The underlying weakness is CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). Several administrative endpoints in FTA do not adequately sanitize user-supplied input before passing it to underlying shell commands. When an attacker sends a crafted POST request containing shell metacharacters, the application interprets the payload as part of the command string rather than as data, leading to arbitrary code execution with the privileges of the web server process.

Impact

The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which translates to a base score of 9.8 (Critical).

  • Attack Vector (AV): Network — The appliance is remotely reachable without physical or local network presence.
  • Attack Complexity (AC): Low — No special conditions are required beyond crafting a malicious POST request.
  • Privileges Required (PR): None — Authentication is not necessary.
  • User Interaction (UI): None — No victim action is needed.
  • Scope (S): Unchanged — The vulnerable component is the only one impacted.
  • Confidentiality (C): High — Complete access to files and configuration data on the appliance.
  • Integrity (I): High — Attackers can modify files, configurations, or install persistent backdoors.
  • Availability (A): High — The appliance can be shut down or rendered inoperable.

Given that FTA appliances often store or proxy sensitive organizational data, successful exploitation can lead to full network compromise, data theft, and ransomware deployment.

Exploitation Walkthrough

Ethics Notice: The following description is provided for defensive purposes only. No working exploit code is included, and the information is already publicly documented by the vendor and CISA.

The vulnerability is triggered by sending a maliciously crafted POST request to one of the affected administrative endpoints. The request includes shell metacharacters in fields that the application later concatenates into an operating-system command. Because the input is not properly escaped, the operating system executes the attacker-controlled payload.

From a defensive standpoint, exploitation generally follows this pattern:

  1. Reconnaissance — The attacker identifies an internet-facing Accellion FTA appliance, often through certificate transparency logs, Shodan, or Censys queries.
  2. Endpoint enumeration — The attacker probes known administrative URI paths to confirm the appliance version and identify vulnerable endpoints.
  3. Injection — A POST request is constructed with OS command syntax embedded in one or more parameters.
  4. Execution — The appliance's web server process executes the injected command, granting the attacker a shell or equivalent capability on the host.
  5. Post-exploitation — With operating-system access, the attacker may extract credentials, pivot to internal networks, or deploy additional tooling.

Defenders should assume that any unpatched FTA instance exposed to the internet has already been scanned and potentially compromised.

Affected and Patched Versions

  • Affected: Accellion FTA version 9_12_370 and all earlier versions
  • Patched: Accellion FTA version 9_12_380 and later

Accellion released FTA_9_12_380 to remediate this flaw. Organizations still running FTA are strongly urged to migrate to the Kiteworks platform, as FTA has reached end-of-life status.

Remediation

  1. Upgrade immediately — Apply Accellion FTA version 9_12_380 or later. If your organization is still on FTA, treat migration to Kiteworks as a high-priority initiative.
  2. Network segmentation — Restrict inbound access to FTA administrative interfaces to a dedicated jump host or management network. Do not expose these endpoints to the open internet.
  3. Web Application Firewall (WAF) — Deploy a WAF rule set that blocks POST requests containing common shell metacharacters and command-execution patterns directed at FTA endpoints. This is a compensating control, not a substitute for patching.
  4. Credential rotation — If the appliance was internet-facing and unpatched, rotate all credentials stored on or accessible through the FTA host, including API keys, service accounts, and domain credentials cached by the appliance.
  5. Forensic review — Engage incident-response teams to review logs for suspicious POST requests, unexpected process executions, or unauthorized file access.

Detection

  • Network logs — Monitor for HTTP POST requests to FTA administrative paths that contain shell metacharacters such as semicolons, backticks, pipe symbols, or command substitution syntax.
  • Endpoint detection — Alert on anomalous process spawning by the FTA web server process (for example, unexpected /bin/sh, curl, wget, or python child processes).
  • File integrity monitoring — Trigger alerts when critical FTA web application files or configuration files are modified outside of approved change windows.
  • CISA guidance — Review CISA's Known Exploited Vulnerabilities catalog entry for CVE-2021-27104 for additional indicators of compromise and detection recommendations.

Assessment

CVE-2021-27104 is a textbook example of a critical command-injection flaw in a perimeter appliance. Its EPSS score of 0.56686 (approximately 56.7% probability of exploitation within 30 days) and 0.98944 percentile place it among the most dangerous publicly disclosed vulnerabilities. The fact that CISA added it to the Known Exploited Vulnerabilities catalog on 2021-11-03 — and that the European Union simultaneously flagged it as actively exploited — confirms that threat groups have weaponized this flaw at scale.

Key lessons:

  1. Input validation is non-negotiable for admin endpoints. Even interfaces intended for privileged users must treat all external input as untrusted and sanitize it before any OS interaction.
  2. Perimeter appliances require aggressive lifecycle management. Because they sit on the edge of the network and handle sensitive data, any vulnerability in a file-transfer appliance can rapidly escalate from a single-host issue to an enterprise-wide breach.

References

Frequently asked questions

What is CVE-2021-27104?
Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later.
How severe is CVE-2021-27104?
CVE-2021-27104 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-27104 being actively exploited?
Yes. CVE-2021-27104 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2021-11-03, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-27104?
CVE-2021-27104 affects Accellion Fta. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2021-27104?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-27104 have an EU (EUVD) identifier?
Yes. CVE-2021-27104 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-13874. It is also flagged as exploited in the EUVD (since 2021-11-03).
When was CVE-2021-27104 published?
CVE-2021-27104 was published on 2021-02-16 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Accellion Fta

All CVEs affecting Accellion Fta →

Other CWE-78 (OS Command Injection) vulnerabilities

Browse all CWE-78 (OS Command Injection) vulnerabilities →