CVE-2021-27101
Published: 16 February 2021
Summary
CVE-2021-27101 is a critical-severity an unspecified weakness vulnerability in Accellion Fta. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 26.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Accellion FTA versions 9_12_370 and earlier contain a SQL injection vulnerability triggered by a crafted Host header sent to the document_root.html endpoint. The affected component is the Accellion File Transfer Appliance (FTA), a managed file transfer product. The issue received a CVSS 3.1 score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.
An unauthenticated remote attacker can supply a malicious Host header to inject arbitrary SQL statements, resulting in full read, write, and delete access to the underlying database and potentially the host system. Successful exploitation grants complete control over confidentiality, integrity, and availability of data processed by the appliance.
Vendor guidance states that the flaw is resolved in FTA version 9_12_380 and later. The vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild use against unpatched deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-13871
Vulnerability details
Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs (including HTTP headers) before they reach the document_root.html endpoint, blocking the crafted Host header that triggers SQL injection.
Mandates timely application of vendor patches, directly eliminating the flaw by upgrading from FTA 9_12_370 (or earlier) to 9_12_380 or later.
Enforces access-control decisions before processing requests, limiting the ability of unauthenticated remote attackers to reach the vulnerable endpoint and execute injected SQL.