Cyber Resilience

CVE-2021-27103

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 16 February 2021

Published
16 February 2021
Modified
03 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0110 78.5th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-27103 is a critical-severity SSRF (CWE-918) vulnerability in Accellion Fta. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 21.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Accellion FTA versions 9_12_411 and earlier contain a server-side request forgery vulnerability tracked as CVE-2021-27103 and CWE-918. The flaw resides in the handling of a crafted POST request to wmProgressstat.html and carries a CVSS 3.1 base score of 9.8, reflecting network attackability without authentication or user interaction.

An unauthenticated attacker can submit a malicious request that causes the FTA server to issue arbitrary outbound requests, potentially reaching internal systems and resources that would otherwise be inaccessible. Successful exploitation can result in full compromise of confidentiality, integrity, and availability of the affected appliance and any reachable backend infrastructure.

The vendor states that the issue is resolved in FTA version 9_12_416 and later. The vulnerability appears in CISA’s catalog of known exploited vulnerabilities, confirming active in-the-wild use against unpatched installations.

EU & UK References

Vulnerability details

Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

Threat-Actor AttributionAI

UNC2546
Mandiant attributes initial exploitation of Accellion FTA 0-days incl. CVE-2021-27103 to UNC2546 (later linked to Clop).
Clop
Mandiant & public reporting tie post-exploitation Clop ransomware deployments to UNC2546 Accellion access campaigns.

Affected Assets

accellion
fta
≤ 9_12_416

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the unauthorized server-initiated outbound requests to internal resources that define this SSRF flaw.

prevent

Rejects the crafted POST data to wmProgressstat.html before the server can be tricked into issuing arbitrary requests.

prevent

Enforces boundary rules that can deny the FTA server’s ability to reach otherwise inaccessible internal destinations.

References