CVE-2021-27103

CVSS 9.8 CRITICALEPSS 11.4%● KEVCWE-918

Vexday Risk Score

63High priority

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 9.8EPSS 11.4%KEV simPoC —Nuclei —Metasploit —Patch —

Lifecycle

16 Feb 2021Published on NVD

03 Nov 2021Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

Accellion FTA versions up to 9.12.411 have a flaw where attackers can send specially crafted requests to make the server access internal systems or services it shouldn't. This allows hackers to bypass security boundaries and potentially steal sensitive data.

Technical detail

SSRF vulnerability in Accellion FTA ≤9.12.411 via POST requests to wmProgressstat.html endpoint. Unauthenticated remote attackers can forge server-side requests to internal resources, potentially accessing restricted systems or metadata. Fixed in FTA 9.12.416+.

Summary generated and translated by AI from the official description.

Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/accellion/CVEs/blob/main/CVE-2021-27103.txt https://www.accellion.com/products/fta/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27103