Cyber Resilience

CVE-2021-27860

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 08 December 2021

Published
08 December 2021
Modified
24 October 2025
KEV Added
10 January 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3966 97.4th percentile
Risk Priority 63 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-27860 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Fatpipeinc Ipvpn Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The vulnerability CVE-2021-27860 is an unrestricted file upload flaw (CWE-434) in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1. It is tracked under FatPipe advisory FPSA006 and carries a CVSS 3.1 score of 9.8.

A remote unauthenticated attacker can exploit the issue over the network to upload a file to any location on the filesystem, enabling arbitrary code execution or full system compromise.

FatPipe's advisory and related notices from CISA and the FBI IC3 direct administrators to upgrade to the fixed releases listed above. The CVE is also cataloged in CISA's Known Exploited Vulnerabilities list, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

A vulnerability in the web management interface of FatPipe WARP, IPVPN, and MPVPN software prior to versions 10.1.2r60p92 and 10.2.2r44p1 allows a remote, unauthenticated attacker to upload a file to any location on the filesystem. The FatPipe advisory identifier for…

more

this vulnerability is FPSA006.

CWE(s)
KEV Date Added
10 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fatpipeinc
ipvpn firmware
10.1.2, 10.2.2, 5.2.0, 6.1.2, 7.1.2
fatpipeinc
warp firmware
10.1.2, 10.2.2, 5.2.0, 6.1.2, 7.1.2
fatpipeinc
mpvpn firmware
10.1.2, 10.2.2, 5.2.0, 6.1.2, 7.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of file uploads to the web interface, blocking the unrestricted file-write primitive that enables arbitrary code execution.

prevent

Enforces access-control policy on the management interface so that only authorized subjects may perform file-upload operations.

prevent

Requires identification and authentication before any interaction with the web management interface, eliminating the unauthenticated attack vector.

References