CVE-2021-27102

What is Accellion FTA?

Accellion File Transfer Appliance (FTA) is a legacy enterprise file sharing and managed file transfer solution deployed on-premises at large organizations — banks, law firms, government agencies, healthcare providers, and universities — for secure transfer of large or sensitive files. FTA runs as a dedicated Linux-based appliance accessible over HTTPS, allowing employees and external partners to upload and download files. Because FTA is used specifically for sensitive, large, or regulated file transfers, compromising it provides direct access to the organization's most sensitive documents in transit. Accellion announced end-of-life for FTA in April 2021 following the exploitation campaign; organizations were advised to migrate to Accellion Kiteworks.

Overview

CVE-2021-27102 is an OS command injection vulnerability (CWE-78) in Accellion FTA that is exploitable via a local web service call on the appliance. It is one of four vulnerabilities (CVE-2021-27101, 27102, 27103, 27104) exploited by UNC2546 — a threat group linked to the CLOP ransomware gang — in a large-scale data theft and extortion campaign beginning in December 2020. CVE-2021-27102 specifically involves OS command injection via a call to a local web service on the FTA appliance; an attacker who has already obtained access to the appliance (via CVE-2021-27101's SQL injection or CVE-2021-27103's SSRF) can use CVE-2021-27102 to execute arbitrary OS commands as root, achieving full control of the FTA appliance and all files stored on it.

Affected Versions

Technical Details

• Root cause: OS command injection (CWE-78) via a local web service interface on the FTA appliance — a local service (accessible from within the appliance or via SSRF) processes attacker-controlled input that is incorporated into an OS command string without sanitization, enabling injection of arbitrary shell commands
• AV:L attack vector: The vulnerable local web service call is not directly accessible from external networks; it is reached either from within the appliance (after initial access via another vulnerability) or via SSRF (CVE-2021-27103 redirects external HTTP requests to the local service)
• Exploitation chain: CVE-2021-27101 (SQL injection → file write → initial foothold) OR CVE-2021-27103 (SSRF to internal services) → CVE-2021-27102 (OS command injection → root shell) → mass file exfiltration of all content stored on the FTA appliance
• Root-level execution: The local web service on FTA runs with elevated privileges; OS commands injected through CVE-2021-27102 execute as root, giving the attacker full control of the Linux appliance including all stored files, credentials, and configuration
• CLOP ransomware extortion: UNC2546/CLOP did not encrypt FTA appliances — instead they exfiltrated files and then threatened to publish sensitive data on the CLOP leak site if victims did not pay; this "extortion without encryption" approach was novel at the time and made FTA the first major pure-extortion ransomware campaign

Discovery

Identified by Mandiant during incident response at multiple Accellion FTA customers in December 2020–January 2021. Mandiant documented the full four-CVE exploitation chain in their February 22, 2021 report. UNC2546 exploited all four FTA CVEs across two waves of attacks (December 2020 and January 2021) against dozens of high-profile organizations worldwide.

Exploitation Context

The Accellion FTA campaign was one of the most impactful data theft campaigns of 2021. Victims included the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, the Office of the Washington State Auditor, Qualys, Jones Day, Kroger, the University of Colorado, and many others — totaling over 100 organizations across 20+ countries. CLOP used the stolen data as extortion leverage, publishing files from non-paying victims. The campaign was notable for targeting end-of-life software (Accellion FTA was already aging at the time), for the pure extortion model (no ransomware deployed on primary systems), and for the industrial scale of exploitation — UNC2546 appeared to scan for and exploit every internet-facing FTA instance during the campaign window.

Remediation

1. Accellion FTA reached end of life in April 2021 — all remaining FTA deployments should be decommissioned immediately; there are no further security patches
2. Migrate to Accellion Kiteworks or an alternative managed file transfer solution; do not operate FTA in any environment
3. If FTA is still in use: immediately disconnect it from the internet, apply the February 2021 patches (FTA 9_12_432), and treat the appliance as potentially compromised — conduct forensic review of all stored files and access logs
4. For organizations that operated FTA during December 2020–March 2021: assume files stored on the appliance were exfiltrated; notify affected parties per applicable breach notification requirements
5. Apply network segmentation to any file transfer appliance: restrict internet access to only required transfer endpoints; block all other inbound connections; monitor outbound connections for unexpected data transfers