CVE-2021-27104

CVSS 9.8 CRITICALEPSS 56.7%● KEVCWE-78

In short

Accellion FTA versions up to 9_12_370 have a critical flaw that allows attackers to run system commands by sending specially crafted requests to admin areas. This can give attackers complete control over the affected server.

Technical detail

OS command injection vulnerability in Accellion FTA ≤9_12_370 accessible via POST requests to admin endpoints. Attackers can execute arbitrary system commands with server-level privileges, requiring only network access to the vulnerable endpoint. Impact includes full system compromise and unauthorized access to sensitive data.

Summary generated and translated by AI from the official description.

Accellion FTA 9_12_370 and earlier is affected by OS command execution via a crafted POST request to various admin endpoints. The fixed version is FTA_9_12_380 and later.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/accellion/CVEs/blob/main/CVE-2021-27104.txt https://www.accellion.com/products/fta/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27104