CVE-2021-27103
Published: 16 February 2021
Summary
CVE-2021-27103 is a critical-severity SSRF (CWE-918) vulnerability in Accellion Fta. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 21.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Accellion FTA versions 9_12_411 and earlier contain a server-side request forgery vulnerability tracked as CVE-2021-27103 and CWE-918. The flaw resides in the handling of a crafted POST request to wmProgressstat.html and carries a CVSS 3.1 base score of 9.8, reflecting network attackability without authentication or user interaction.
An unauthenticated attacker can submit a malicious request that causes the FTA server to issue arbitrary outbound requests, potentially reaching internal systems and resources that would otherwise be inaccessible. Successful exploitation can result in full compromise of confidentiality, integrity, and availability of the affected appliance and any reachable backend infrastructure.
The vendor states that the issue is resolved in FTA version 9_12_416 and later. The vulnerability appears in CISA’s catalog of known exploited vulnerabilities, confirming active in-the-wild use against unpatched installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-13873
Vulnerability details
Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
Threat-Actor AttributionAI
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the unauthorized server-initiated outbound requests to internal resources that define this SSRF flaw.
Rejects the crafted POST data to wmProgressstat.html before the server can be tricked into issuing arbitrary requests.
Enforces boundary rules that can deny the FTA server’s ability to reach otherwise inaccessible internal destinations.