CVE-2021-27104

What is Accellion FTA?

Accellion File Transfer Appliance (FTA) was a legacy enterprise secure file sharing platform used by financial institutions, law firms, government agencies, and healthcare organizations for regulated data exchange. See CVE-2021-27101 for context on the broader CLOP/FIN11 campaign and the organizations affected.

Overview

CVE-2021-27104 is an OS command injection vulnerability (CWE-78) in Accellion FTA admin endpoints. An attacker sends a crafted POST request to administrative endpoints (such as diskusage.pl and format.pl) containing shell metacharacters that the appliance executes as root OS commands. This is the third component of the FIN11/CLOP exploit chain (CVE-2021-27101 SQL injection + CVE-2021-27103 SSRF + CVE-2021-27104 OS command injection), and represents the code execution stage. FIN11/CLOP used this OS command injection to deploy the DEWMODE webshell — a PHP-based backdoor that provided persistent access to the FTA appliance and enabled bulk file exfiltration from FTA storage. DEWMODE persisted through reboots and survived initial incident response attempts that did not fully remediate the appliance.

Affected Versions

Technical Details

The Accellion FTA administrative CGI scripts process POST parameters and pass them to OS commands for disk management and file operations:

• Root cause: OS command injection (CWE-78) — admin endpoints in the FTA web interface pass user-supplied POST parameters to shell commands without filtering shell metacharacters
• Vulnerable endpoints: Administrative CGI scripts including diskusage.pl and format.pl that handle disk management functions
• Authentication requirements: The administrative endpoints require authentication in some configurations, but in the FIN11/CLOP attack, credentials obtained via CVE-2021-27101 (SQL injection) were used to authenticate before exploiting the command injection
• Execution context: Commands execute as root on the FTA appliance operating system
• DEWMODE webshell: FIN11/CLOP used the OS command injection to write the DEWMODE PHP webshell (a 44KB PHP file named with a legitimate-looking filename) to the FTA web directory, providing persistent remote access for file exfiltration
• NOTSKI credential stealer: Alongside DEWMODE, FIN11 deployed NOTSKI, a credential-harvesting tool that extracted credentials from FTA's credential store

Discovery

Identified by Mandiant during incident response at organizations affected by the FIN11/CLOP Accellion FTA campaign. All three CVEs were used in conjunction in the zero-day exploitation beginning December 2020.

Exploitation Context

CVE-2021-27104's role as the OS command injection step made it the pivotal vulnerability in the chain — it converted the SQL injection foothold (CVE-2021-27101) into persistent server access via the DEWMODE webshell. Mandiant's analysis identified DEWMODE in victim FTA appliances alongside NOTSKI (credential theft) and SIGHTJACK (session hijacking tool). The data exfiltrated by FIN11/CLOP from over 100 victim organizations was subsequently published on the CLOP extortion site, causing significant reputational and regulatory harm to the victims. CISA and FBI published a joint advisory identifying FIN11/TA505 as responsible for the campaign.

Remediation

1. Apply Accellion FTA patch FTA_9_12_432 — this addresses all three FTA CVEs
2. Search for DEWMODE webshell using Mandiant's published DEWMODE file hash and indicator-of-compromise list
3. Perform a full forensic review of the FTA appliance file system — DEWMODE may have survived simple patch application
4. Review FTA web server access logs for POST requests to diskusage.pl, format.pl, and other admin CGI scripts containing shell metacharacters
5. Audit all files transferred through FTA during the exposure window for potential exfiltration — check FTA transfer logs for all files downloaded that may not have been downloaded by legitimate users
6. Migrate from Accellion FTA to a supported file transfer platform; see CVE-2021-27101 for full remediation context