What is Accellion FTA?
Accellion File Transfer Appliance (FTA) was a legacy enterprise secure file sharing platform (physical and virtual appliance) that organizations used to exchange large and sensitive files — replacing insecure email attachments with a secure, logged transfer mechanism. Accellion FTA was deployed by banks, law firms, universities, government agencies, and healthcare organizations to transfer regulated data. The FTA product was approaching end-of-life status in 2021, with Accellion urging customers to migrate to their newer product (kiteworks). Because FTA appliances store sensitive files transferred between organizations — including financial documents, legal filings, medical records, and proprietary data — compromising FTA gave attackers access to a trove of high-value exfiltrable data.
Overview
CVE-2021-27101 is a SQL injection vulnerability (CWE-89) in the Accellion FTA web interface exploited via a crafted Host header in a request to document_root.html. Unauthenticated attackers can inject SQL commands through the Host header to access the FTA database, extract user credentials and file transfer metadata, and gain a foothold for further exploitation. This vulnerability was the entry point in a multi-CVE attack chain (CVE-2021-27101 + CVE-2021-27103 + CVE-2021-27104) exploited by FIN11 (a threat group associated with CLOP ransomware) beginning in December 2020 — before patches were available. CLOP used the chain to steal data from over 100 organizations globally and publish it on their extortion leak site.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Accellion FTA versions before FTA_9_12_432 | Yes | FTA_9_12_432 |
Technical Details
The Accellion FTA web interface processes HTTP requests including the Host header as part of SQL query construction:
- Root cause: SQL injection (CWE-89) — the
document_root.htmlendpoint incorporates the HTTP Host header directly into a SQL query without parameterization or escaping - Injection vector: An attacker sends a request to
document_root.htmlwith a maliciously crafted Host header value containing SQL injection payloads - No authentication required: The endpoint is accessible without prior authentication
- Database access: Successful injection allows reading FTA database contents including user credentials (email addresses, password hashes), file transfer records, and session tokens
- Chain entry point: In the FIN11/CLOP attack chain, CVE-2021-27101 provided initial access and credential harvesting, which was combined with CVE-2021-27103 (SSRF) and CVE-2021-27104 (OS command injection) to achieve full appliance compromise and DEWMODE webshell installation
Discovery
Discovered by Mandiant (then FireEye Mandiant) during incident response investigations at multiple organizations affected by the CLOP ransomware campaign. Mandiant assigned UNC2546 (assessed as FIN11 affiliate) to the exploitation activity. The attacks began in December 2020 as zero-days.
Exploitation Context
The Accellion FTA campaign was one of the most impactful data theft operations of 2021. Victim organizations included the Reserve Bank of New Zealand, University of California, Kroger, Singapore Telecommunications (Singtel), Shell, Bombardier, Qualys, and Jones Day — over 100 organizations across financial services, legal, healthcare, government, and technology sectors. FIN11/CLOP stole sensitive data and threatened to publish it on their "CL0P^_-LEAKS" dark web site unless victims paid extortion demands. This was an early, high-profile example of double-extortion ransomware tactics focused on data theft rather than (or in addition to) encryption.
Remediation
- Apply Accellion FTA patch FTA_9_12_432 or later — this addresses all three FTA CVEs (CVE-2021-27101, -27103, -27104)
- Strongly consider migrating from EOL Accellion FTA to a currently-supported secure file transfer solution (Accellion's kiteworks or equivalent)
- Review FTA transfer logs for unauthorized file access during the exploitation window (December 2020 onward)
- Check for DEWMODE webshell artifacts (Mandiant's published IoCs) in the FTA installation directory
- Notify affected parties if sensitive data may have been exfiltrated from FTA
- Rotate all credentials and tokens stored in or transferred through the FTA appliance
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2021-27101 |
| Vendor / Product | Accellion — FTA |
| NVD Published | 2021-02-16 |
| NVD Last Modified | 2025-11-03 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CISA KEV Added | 2021-11-03 |
| CISA KEV Deadline | 2021-11-17 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-12-16 | FIN11/UNC2546 begins exploiting Accellion FTA zero-days (CVE-2021-27101, -27103, -27104) |
| 2021-01-12 | Accellion releases emergency patches for FTA vulnerabilities |
| 2021-02-16 | CVE published; Mandiant and Accellion disclose CLOP ransomware exploitation |
| 2021-03 | CLOP publishes stolen data from 100+ organizations on their leak site |
| 2021-11-03 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2021-11-17 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Accellion FTA Security Update — March 2021 | Vendor Advisory |
| Mandiant — Accellion FTA Exploited by FIN11/CLOP | Security Research |
| NVD — CVE-2021-27101 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |