CVE-2021-27101 Overview
CVE-2021-27101 is a critical SQL injection vulnerability affecting Accellion File Transfer Appliance (FTA) version 9_12_370 and earlier. The vulnerability exists in the document_root.html endpoint and can be exploited by sending a specially crafted Host header in HTTP requests. Successful exploitation allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying database, potentially leading to complete system compromise, data exfiltration, and unauthorized access to sensitive files.
This vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, making immediate remediation essential for affected organizations.
Critical Impact
This SQL injection vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands, potentially compromising the entire FTA appliance and accessing all stored files and sensitive data. Active exploitation has been observed in the wild.
Affected Products
- Accellion FTA version 9_12_370 and earlier
- All Accellion FTA deployments prior to FTA_9_12_380
Discovery Timeline
- February 16, 2021 - CVE-2021-27101 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2021-27101
Vulnerability Analysis
This SQL injection vulnerability exists in the Accellion FTA web application's handling of the HTTP Host header when processing requests to document_root.html. The application fails to properly sanitize or validate the Host header value before incorporating it into SQL queries. This allows attackers to inject malicious SQL statements that are executed with the privileges of the database user.
The attack requires no authentication and can be executed remotely over the network. When exploited, attackers can extract sensitive data from the database, modify or delete records, and potentially gain further access to the underlying system through database-specific functionality.
Root Cause
The root cause of this vulnerability is improper input validation and lack of parameterized queries in the Accellion FTA application. The document_root.html endpoint directly incorporates user-controlled input from the HTTP Host header into SQL queries without proper sanitization or the use of prepared statements. This classic SQL injection pattern allows attackers to break out of the intended query structure and inject arbitrary SQL commands.
Attack Vector
The attack vector is network-based and requires no user interaction or authentication. An attacker can exploit this vulnerability by sending a malicious HTTP request with a crafted Host header to the vulnerable document_root.html endpoint. The injected SQL payload is then executed by the database server with the application's database privileges.
The attack can be performed remotely against any internet-exposed Accellion FTA instance running a vulnerable version. Given that FTA appliances are typically used for secure file transfer and often contain sensitive business data, successful exploitation can result in significant data breaches.
The exploitation mechanism involves crafting an HTTP request with a malicious Host header containing SQL injection payloads. The vulnerable endpoint processes this header value without proper sanitization, allowing the attacker's SQL commands to execute against the backend database. For detailed technical information, refer to the GitHub CVE Details.
Detection Methods for CVE-2021-27101
Indicators of Compromise
- Unusual or malformed Host headers in HTTP request logs targeting document_root.html
- Database query logs showing unexpected or malicious SQL statements
- Anomalous file access patterns or bulk data extraction from the FTA system
- Web server access logs showing repeated requests to document_root.html with unusual parameters
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block SQL injection patterns in HTTP headers
- Monitor HTTP request logs for requests to document_root.html with abnormal Host header values containing SQL metacharacters such as single quotes, semicolons, or SQL keywords
- Deploy intrusion detection systems (IDS) with signatures for known Accellion FTA exploitation attempts
- Review database audit logs for unauthorized queries or data access patterns
Monitoring Recommendations
- Enable detailed logging on Accellion FTA appliances including HTTP headers and database queries
- Configure SIEM alerts for SQL injection indicators in web server logs targeting the document_root.html endpoint
- Monitor network traffic for data exfiltration patterns from FTA appliances
- Implement file integrity monitoring on FTA appliance configuration and system files
How to Mitigate CVE-2021-27101
Immediate Actions Required
- Upgrade Accellion FTA to version FTA_9_12_380 or later immediately
- If immediate patching is not possible, consider taking the FTA appliance offline until patching can be completed
- Review access logs for signs of past exploitation attempts
- Conduct a security assessment to determine if the system has been compromised
Patch Information
Accellion has released version FTA_9_12_380 which addresses this SQL injection vulnerability. Organizations should upgrade to this version or later as soon as possible. Given the active exploitation of this vulnerability in the wild, patching should be treated as an emergency priority.
For the latest patch information and upgrade instructions, refer to the Accellion Product Page. Additional details are available in the CISA Known Exploited Vulnerabilities Catalog.
Workarounds
- Restrict network access to the FTA appliance to only trusted IP addresses and networks
- Place the FTA appliance behind a web application firewall (WAF) configured to block SQL injection attempts
- Monitor and filter incoming HTTP requests for suspicious Host header values
- Consider migrating to Accellion's successor product (Kiteworks) which provides enhanced security features
# Example WAF rule to block suspicious Host headers (ModSecurity syntax)
# Add to your WAF configuration to help mitigate exploitation attempts
SecRule REQUEST_HEADERS:Host "@contains '" "id:1001,phase:1,deny,status:403,msg:'Potential SQL Injection in Host Header'"
SecRule REQUEST_HEADERS:Host "@rx (SELECT|UNION|INSERT|UPDATE|DELETE|DROP)" "id:1002,phase:1,deny,status:403,msg:'SQL Keywords in Host Header'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
