CVE-2021-27103 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2021-27103?

CVE-2021-27103 has a CVSS score of 9.8 (CRITICAL). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Accellion File Transfer Appliance (FTA) versions 9_12_411 and earlier. Attackers can send crafted POST requests to wmProgressstat.html to make the server perform unauthorized requests to internal or external systems. Organizations using vulnerable Accellion FTA versions are affected.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Accellion File Transfer Appliance (FTA) versions 9_12_411 and earlier. Attackers can send crafted POST requests to wmProgressstat.html to make the server perform unauthorized requests to internal or external systems. Organizations using vulnerable Accellion FTA versions are affected.

💻 Affected Systems

Products:

Accellion File Transfer Appliance (FTA)

Versions: 9_12_411 and earlier

Operating Systems: Not specified - appliance-based

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface component of the FTA appliance.

📦 What is this software?

Fta by Accellion

View all CVEs affecting Fta →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could pivot to internal networks, access sensitive internal services, exfiltrate data, or chain with other vulnerabilities for complete system compromise.

🟠

Likely Case

Unauthorized access to internal services, data exfiltration, or using the vulnerable server as a proxy for attacks against other systems.

🟢

If Mitigated

Limited impact with proper network segmentation, but still potential for information disclosure about internal network structure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only a crafted HTTP POST request. This vulnerability was part of the Accellion FTA attacks in early 2021.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FTA_9_12_416 and later

Vendor Advisory: https://www.accellion.com/products/fta/

Restart Required: Yes

Instructions:

1. Download FTA_9_12_416 or later from Accellion support portal. 2. Backup current configuration. 3. Apply the update following Accellion's upgrade documentation. 4. Restart the FTA appliance. 5. Verify the update was successful.

🔧 Temporary Workarounds

Block wmProgressstat.html Access

linux

Temporarily block access to the vulnerable endpoint via web application firewall or network controls

iptables -A INPUT -p tcp --dport 443 -m string --string "wmProgressstat.html" --algo bm -j DROP

Network Segmentation

all

Restrict outbound network access from the FTA appliance to only necessary services

🧯 If You Can't Patch

Isolate the FTA appliance in a DMZ with strict outbound firewall rules
Implement web application firewall rules to detect and block SSRF attempts

🔍 How to Verify

Check if Vulnerable:

Check the FTA version via the web interface or SSH: version should be 9_12_411 or earlier

Check Version:

ssh admin@fta-host "cat /usr/local/accellion/fta/version.txt"

Verify Fix Applied:

Verify version is FTA_9_12_416 or later and test that POST requests to wmProgressstat.html no longer process external URLs

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to wmProgressstat.html
Outbound connections from FTA to unexpected internal/external IPs

Network Indicators:

HTTP POST requests to /wmProgressstat.html with URL parameters
Outbound connections from FTA to internal services it shouldn't access

SIEM Query:

source="fta_logs" AND uri="/wmProgressstat.html" AND method="POST"

📊 Metadata

CVE ID: CVE-2021-27103

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-918

Published: February 16, 2021

Last Updated: November 3, 2025

🔗 References

https://github.com/accellion/CVEs/blob/main/CVE-2021-27103.txt Broken Link,Product
https://www.accellion.com/products/fta/ Product
https://github.com/accellion/CVEs/blob/main/CVE-2021-27103.txt Broken Link,Product
https://www.accellion.com/products/fta/ Product
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27103 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27103, you might also want to check these: