CVE-2021-27860

What is FatPipe MPVPN/WARP/IPVPN?

FatPipe Networks produces WAN optimization and SD-WAN appliances — specifically WARP (WAN Redundancy and Aggregation), IPVPN (IP VPN aggregation), and MPVPN (multi-path VPN) products. These are enterprise networking appliances that aggregate multiple WAN links (e.g., multiple ISP connections) to provide redundant, load-balanced internet connectivity. As internet-facing network appliances, they have web-based management interfaces accessible from the network — and vulnerabilities in these interfaces can provide unauthenticated access to network infrastructure.

Overview

CVE-2021-27860 is an unauthenticated arbitrary file upload vulnerability (CWE-434) in the web management interface of FatPipe WARP, IPVPN, and MPVPN devices. A remote, unauthenticated attacker can upload files to any location on the filesystem. By uploading a webshell to a web-accessible directory, an attacker achieves arbitrary code execution with root privileges on the appliance. The FBI issued a Flash Alert (MU-000167-MW) in November 2021 warning that APT actors had exploited this to gain root access and install webshells on FatPipe devices, using them as pivot points into corporate networks.

Affected Versions

Technical Details

The FatPipe web management interface provides a file upload endpoint for configuration and firmware updates. This endpoint lacks proper authentication enforcement, allowing any network-accessible client to upload files without presenting credentials:

• Root cause: Missing authentication check on the file upload endpoint (CWE-434 — unrestricted upload of file with dangerous type)
• File placement: The attacker can specify an arbitrary path on the filesystem for the uploaded file
• Webshell deployment: Uploading a PHP or Perl webshell to a web-accessible directory (e.g., the web server document root) provides interactive code execution via HTTP
• Execution context: Commands execute as root on the appliance's Linux-based OS
• APT exploitation: The FBI Flash Alert documented APT actors using this for persistent access: installing webshells, maintaining root-level footholds, and using the compromised appliance as a staging point for lateral movement

Discovery

Identified by FatPipe and reported via security advisory. The FBI's Flash Alert (preceding the formal CVE publication) indicates the FBI was investigating active APT exploitation of this vulnerability before FatPipe published the patch.

Exploitation Context

APT actors used CVE-2021-27860 to establish persistent footholds on enterprise network infrastructure. By compromising a FatPipe WAN aggregation device, adversaries gained a position on the network perimeter that provides visibility into traffic and a pivot point for accessing internal networks. The FBI Flash Alert noted exploitation as far back as May 2021 — months before the advisory — indicating sophisticated actors had prior knowledge of the vulnerability and exploited it as a zero-day.

Remediation

1. Upgrade FatPipe MPVPN to 10.1.2r60p93 or 10.2.2r44p1 or later; apply corresponding patches for WARP and IPVPN
2. Check for webshells before assuming patching is sufficient — search for unexpected PHP/Perl files in web-accessible directories on the appliance
3. Restrict access to the FatPipe web management interface to trusted management IPs only; it should not be exposed to the internet
4. Review FatPipe web access logs for unexpected file upload requests, especially to sensitive paths
5. If compromise is confirmed, consider factory reset and fresh configuration rather than just patching over a compromised appliance
6. Implement network segmentation so compromise of the WAN aggregation device does not immediately expose the full internal network