Login Sign Up

CVE-2021-27101

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Accellion FTA allows attackers to execute arbitrary SQL commands by sending a crafted Host header to the document_root.html endpoint. It affects all Accellion FTA versions up to 9_12_370, potentially enabling data theft, system compromise, or complete takeover of the file transfer appliance.

💻 Affected Systems

Products:
  • Accellion File Transfer Appliance (FTA)
Versions: All versions up to and including 9_12_370
Operating Systems: Accellion FTA appliance OS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable; no special configuration required for exploitation

📦 What is this software?

Fta by Accellion

View all CVEs affecting Fta →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to data exfiltration, ransomware deployment, or use as a pivot point into internal networks

🟠

Likely Case

Database compromise allowing theft of sensitive files and user credentials stored in the FTA system

🟢

If Mitigated

Limited impact if proper network segmentation and web application firewalls block malicious SQL injection attempts

🌐 Internet-Facing: HIGH - Directly exploitable via HTTP requests with no authentication required
🏢 Internal Only: HIGH - Even internally accessible instances are vulnerable to network-based attacks

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request manipulation required; widely exploited in the wild during the Accellion breach campaign

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FTA_9_12_380 and later

Vendor Advisory: https://www.accellion.com/products/fta/

Restart Required: Yes

Instructions:

1. Download FTA_9_12_380 or later from Accellion support portal. 2. Backup current configuration. 3. Apply the update via the FTA admin interface. 4. Restart the FTA appliance. 5. Verify the update completed successfully.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Block SQL injection patterns in Host headers and restrict access to document_root.html

WAF-specific rules to detect and block SQL injection in HTTP headers

Network Access Control

linux

Restrict access to FTA web interface to authorized IP addresses only

iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Immediately isolate the FTA appliance from internet access and restrict to internal trusted networks only
  • Implement strict network monitoring and alerting for any SQL injection attempts against the FTA web interface

🔍 How to Verify

Check if Vulnerable:

Check the FTA admin interface version or run: grep 'Version' /usr/local/apache2/conf/httpd.conf

Check Version:

cat /usr/local/apache2/conf/httpd.conf | grep 'Version'

Verify Fix Applied:

Confirm version is 9_12_380 or higher in admin interface and test with a safe SQL injection detection tool

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in Apache logs
  • Multiple requests to document_root.html with modified Host headers
  • Database connection errors from web process

Network Indicators:

  • HTTP requests with SQL keywords in Host header field
  • Unexpected outbound database connections from FTA appliance

SIEM Query:

source="fta_logs" AND (uri_path="/document_root.html" AND (header_host CONTAINS "'" OR header_host CONTAINS "SELECT" OR header_host CONTAINS "UNION"))

📊 Metadata

CVE ID: CVE-2021-27101
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: February 16, 2021
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON