CVE-2021-27102
Published: 16 February 2021
Summary
CVE-2021-27102 is a high-severity OS Command Injection (CWE-78) vulnerability in Accellion Fta. Its CVSS base score is 7.8 (High).
Operationally, ranked at the 48.2th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Accellion FTA versions 9_12_411 and earlier contain an OS command injection vulnerability, tracked as CVE-2021-27102 and assigned CWE-78. The flaw allows improper neutralization of special elements used in an OS command and is exposed through a local web service call. The CVSS 3.1 base score is 7.8 with an attack vector of local, low complexity, and low privileges required.
A local attacker who can reach the affected web service can supply crafted input that results in arbitrary operating-system command execution. Successful exploitation grants the attacker full control over confidentiality, integrity, and availability on the host, consistent with the high impact ratings in the vector string.
The vendor states that the issue is resolved in FTA 9_12_416 and later releases. Accellion’s product page and the accompanying CVE disclosure file provide the fixed build information, while CISA lists the vulnerability in its catalog of known exploited vulnerabilities, confirming observed in-the-wild use.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-13872
Vulnerability details
Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call. The fixed version is FTA_9_12_416 and later.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the CWE-78 OS command injection by validating and neutralizing special characters in input supplied to the local web service call.
Requires timely application of the vendor-supplied patch (FTA 9_12_416+) that eliminates the vulnerable code path in Accellion FTA.
Limits the web service to only required functions, reducing the attack surface available for local command execution.