CriticalCISA KEVExploited in the wildPublic exploit

SQL Injection in Accellion FTA document_root.html via Host header

IdentifiersCVE-2021-27101CWE-89

CVE-2021-27101 is a critical SQL injection vulnerability in Accellion File Transfer Appliance (FTA) 9_12_370 and earlier. The flaw is reachable remotely without authentication by sending a specially crafted HTTP request to document_root.html that abuses the Host header. Multiple sources in the provided content describe the issue as SQL injection via a crafted HOST header, and joint government advisories further note that exploitation of this flaw allowed unauthenticated attackers to run remote commands on targeted devices and deploy a web shell. The vulnerability was one of the Accellion FTA flaws exploited in the wild during the 2020–2021 campaign against organizations using vulnerable FTA appliances.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can lead to compromise of the Accellion FTA appliance, including execution of remote commands, deployment of a web shell, viewing and exfiltration of files stored or handled by the appliance, and subsequent extortion activity. The provided content also indicates attackers used the vulnerability as an initial access vector and potentially to pivot further into victim environments. In observed incidents, exploitation supported command execution, data theft, and log cleanup on compromised systems.

Mitigation

If you can’t patch tonight, do this now.

If immediate remediation is not possible, isolate or block internet access to and from systems hosting Accellion FTA, prioritize forensic collection, and investigate for indicators of compromise such as suspicious requests to /courier/document_root.html, evidence of Host-header SQL injection in rewrite.log, unexpected requests involving about.html/about.htmldwn, and presence of web shells at reported paths. Audit FTA accounts and passwords, reset exposed security tokens including the W1 encryption token, and monitor for suspicious outbound connections and data transfers. Given active exploitation and product end-of-life, mitigation should be treated only as a temporary measure pending upgrade or migration.

Remediation

Patch, then assume compromise.

Upgrade Accellion FTA to a fixed release. The provided content states CVE-2021-27101 is fixed in FTA_9_12_380 and later, and later joint advisory guidance recommends updating FTA to FTA_9_12_432 or later. Because Accellion FTA reached end of life on April 30, 2021, organizations should migrate to a supported file-sharing platform, as recommended by Accellion and government advisories.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

AccellionFtaapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

cyberintNews

Feb 20, 2025

CL0P Ransomware: The Latest Updates

A critical SQL injection vulnerability in Accellion FTA exploitable via a crafted Host header.

tenable blogNews

Feb 19, 2021

Accellion Patches Four Vulnerabilities in File Transfer Appliance (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) - Blog | Tenable®

Unauthenticated remote SQL injection in Accellion File Transfer Appliance (FTA) via a crafted Host header to the document_root file, potentially enabling data access/exfiltration.

ic3 alertsNews

Apr 2, 2026

An Accellion File Transfer Appliance vulnerability listed among 2021 CVEs known to be exploited.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware2

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2021-27101

NVD

nvd.nist.gov/vuln/detail/CVE-2021-27101

MITRE CWE · CWE-89

cwe.mitre.org

Vendor Advisory

accellion.com/products/fta

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27101