Cyber Resilience

CVE-2021-27101

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 16 February 2021

Published
16 February 2021
Modified
03 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0075 73.5th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-27101 is a critical-severity an unspecified weakness vulnerability in Accellion Fta. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 26.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Accellion FTA versions 9_12_370 and earlier contain a SQL injection vulnerability triggered by a crafted Host header sent to the document_root.html endpoint. The affected component is the Accellion File Transfer Appliance (FTA), a managed file transfer product. The issue received a CVSS 3.1 score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated remote attacker can supply a malicious Host header to inject arbitrary SQL statements, resulting in full read, write, and delete access to the underlying database and potentially the host system. Successful exploitation grants complete control over confidentiality, integrity, and availability of data processed by the appliance.

Vendor guidance states that the flaw is resolved in FTA version 9_12_380 and later. The vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild use against unpatched deployments.

EU & UK References

Vulnerability details

Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

accellion
fta
≤ 9_12_370

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs (including HTTP headers) before they reach the document_root.html endpoint, blocking the crafted Host header that triggers SQL injection.

prevent

Mandates timely application of vendor patches, directly eliminating the flaw by upgrading from FTA 9_12_370 (or earlier) to 9_12_380 or later.

prevent

Enforces access-control decisions before processing requests, limiting the ability of unauthenticated remote attackers to reach the vulnerable endpoint and execute injected SQL.

References