CVE-2021-27103

What is Accellion FTA?

Accellion File Transfer Appliance (FTA) was a legacy enterprise secure file sharing platform used by banks, law firms, government agencies, and healthcare organizations to securely exchange sensitive files. The appliance stored and tracked all file transfers, making it a repository of sensitive organizational data. See CVE-2021-27101 for context on the broader Accellion FTA attack campaign and the organizations affected.

Overview

CVE-2021-27103 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in the Accellion FTA web interface. An attacker sends a crafted POST request to wmProgressstat.html to cause the FTA appliance to make HTTP requests to attacker-controlled internal or external destinations. In the FIN11/CLOP attack chain, this SSRF was used alongside CVE-2021-27101 (SQL injection) and CVE-2021-27104 (OS command injection) to achieve full appliance compromise. The SSRF component enabled callback communication with the attacker's command-and-control infrastructure and internal network reconnaissance. All three CVEs were zero-days exploited beginning December 2020.

Affected Versions

Technical Details

The wmProgressstat.html endpoint in Accellion FTA accepts POST requests that include URL parameters for tracking file transfer progress. These URL parameters are used by the server to make outbound HTTP requests without adequate validation:

• Root cause: Server-side request forgery (CWE-918) — the wmProgressstat.html endpoint makes HTTP requests to URLs specified in attacker-controlled POST parameters without restricting the destination to allowed hosts
• SSRF capabilities: The attacker can cause the FTA appliance to make requests to:
  • Internal network resources (bypassing network perimeter controls)
  • Attacker-controlled external servers (for C2 callback and data exfiltration)
  • Cloud metadata endpoints (if hosted in cloud infrastructure)
• No authentication required: The endpoint is accessible without prior authentication
• Chain role: In the FIN11/CLOP attack, SSRF enabled C2 channel establishment for the DEWMODE webshell (deployed via CVE-2021-27104) and supported the NOTSKI credential stealer's data exfiltration path

Discovery

Identified by Mandiant during incident response analysis of the FIN11/CLOP Accellion FTA campaign. All three CVEs were present and chained in the same exploitation activity.

Exploitation Context

The CLOP ransomware campaign that exploited the Accellion FTA vulnerability chain was notable for its data theft focus. Rather than deploying ransomware encryption (which would make the attack immediately visible), FIN11/CLOP used the DEWMODE webshell to quietly exfiltrate files from FTA storage over weeks or months before victims realized they had been breached. The SSRF component facilitated covert C2 communication that blended with legitimate FTA outbound traffic patterns. Over 100 organizations in multiple countries were affected.

Remediation

1. Apply Accellion FTA patch FTA_9_12_432 or later — this addresses all three FTA CVEs (CVE-2021-27101, -27103, -27104)
2. Examine FTA outbound network connections for unexpected requests to external IPs or unusual internal destinations
3. Check FTA logs for POST requests to wmProgressstat.html with unusual URL parameter values
4. Look for DEWMODE webshell indicators (Mandiant's published IoCs) in FTA web directories
5. Migrate from Accellion FTA to a supported file transfer platform — Accellion itself recommended migration to their kiteworks product given FTA's EOL status
6. See CVE-2021-27101 for full remediation context on the FTA attack chain