CriticalCISA KEVExploited in the wildPublic exploit

OS Command Injection in Accellion FTA admin endpoints

IdentifiersCVE-2021-27104CWE-78· Improper Neutralization of Special…

CVE-2021-27104 is an operating system command injection vulnerability in Accellion File Transfer Appliance (FTA). According to the provided content, the flaw affects FTA 9_12_370 and earlier and can be triggered via a crafted POST request sent to various FTA administrative endpoints. Multiple sources in the content characterize the issue as remotely exploitable and unauthenticated. Successful exploitation causes attacker-controlled input to be executed as OS commands on the underlying appliance. The vulnerability was one of several Accellion FTA flaws exploited in real-world intrusions associated with data theft campaigns.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote execution of operating system commands on the vulnerable Accellion FTA appliance. In observed campaigns, exploitation of Accellion FTA vulnerabilities enabled deployment of web shells, access to and exfiltration of files from the appliance, and potentially further intrusion activity into victim environments. The content specifically notes victim data access and possible pivoting into victim networks.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching or migration is not possible, isolate or block internet access to systems hosting Accellion FTA, prioritize incident investigation on exposed appliances, collect forensic images if compromise is suspected, audit FTA accounts and credentials, and reset security tokens including the W1 encryption token due to possible exposure in related Accellion exploitation activity. Given active exploitation and product end-of-life, mitigation should be treated only as temporary pending upgrade or replacement.

Remediation

Patch, then assume compromise.

Upgrade Accellion FTA to a fixed release. The primary description in the content states the fixed version is FTA_9_12_380 and later. Additional advisory material in the content recommends updating Accellion FTA to FTA_9_12_432 or later as part of the broader remediation for the exploited FTA vulnerability set. Because Accellion FTA reached end of life on April 30, 2021, organizations should migrate to a supported file-sharing platform as directed by the vendor.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AccellionFtaapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

cyberintNews

Feb 20, 2025

CL0P Ransomware: The Latest Updates

A critical command execution vulnerability in Accellion FTA via a crafted POST request.

tenable blogNews

Feb 19, 2021

Accellion Patches Four Vulnerabilities in File Transfer Appliance (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) - Blog | Tenable®

Unauthenticated remote OS command injection in Accellion FTA via crafted POST requests to an administrative endpoint, potentially enabling remote code execution and data exfiltration.

ic3 alertsNews

Apr 2, 2026

An Accellion File Transfer Appliance vulnerability listed among 2021 CVEs known to be exploited.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2021-27104

NVD

nvd.nist.gov/vuln/detail/CVE-2021-27104

MITRE CWE · CWE-78

Improper Neutralization of Special Elements…

Vendor Advisory

accellion.com/products/fta

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27104