Cyber Resilience

CVE-2021-27104

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linkedRCE

Published: 16 February 2021

Published
16 February 2021
Modified
03 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0639 91.2th percentile
Risk Priority 43 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-27104 is a critical-severity OS Command Injection (CWE-78) vulnerability in Accellion Fta. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Accellion FTA versions 9_12_370 and earlier contain an OS command injection vulnerability, tracked as CVE-2021-27104 and assigned CWE-78. The flaw resides in multiple administrative endpoints that process POST requests, allowing arbitrary operating system commands to be executed on the underlying server. The issue carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.

An unauthenticated remote attacker can submit a specially crafted POST request to the affected admin endpoints and obtain full control over the Accellion FTA appliance, including the ability to read, modify, or delete data and execute further commands on the host. Because the vulnerability does not require credentials, it can be targeted by any party with network reachability to the appliance.

Vendor guidance states that the vulnerability is resolved in FTA version 9_12_380 and later. The affected product page and the Accellion CVE disclosure both direct customers to upgrade to the patched release. The entry also appears in the CISA Known Exploited Vulnerabilities catalog, confirming that the flaw has been observed in active exploitation campaigns.

EU & UK References

Vulnerability details

Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

accellion
fta
≤ 9_12_370

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs on the admin POST endpoints to block crafted OS commands (CWE-78).

prevent

Enforces access-control policy so unauthenticated network callers cannot reach the privileged admin endpoints at all.

prevent

Mandates timely application of the vendor-supplied patch (FTA 9_12_380+) that eliminates the command-injection flaw.

References