cbcvebase.
CVE-2021-27102
published 2021-02-16

CVE-2021-27102: Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call. The fixed version is FTA_9_12_416 and later.

PriorityP185high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
3.65%
88.2th percentile
Accellion FTA 9_12_411 and earlier is affected by OS command execution via a local web service call. The fixed version is FTA_9_12_416 and later.

Affected

1 ranges
VendorProductVersion rangeFixed in
accellionfta<= 9_12_411

Detection & IOCsextracted from sources · hover to see the quote

path/home/seos/courier/
filenameDEWMODE
versionFTA_9_12_411 and earlier
  • CVE-2021-27102 is an OS command injection exploited via a local web service call by an attacker with local access and low privileges on Accellion FTA versions 9_12_411 and earlier. Monitor for anomalous local web service calls on FTA appliances.
  • Hunt for the DEWMODE web shell under /home/seos/courier/ on Accellion FTA servers as a post-exploitation indicator of CVE-2021-27102 and related vulnerabilities.
  • Check for log deletion activity on Accellion FTA appliances as attackers attempted to cover their tracks after exploitation.
  • ·CVE-2021-27102 requires local access with low privileges (not remotely exploitable on its own), unlike CVE-2021-27101/27103/27104 which are remotely exploitable. It is used as part of a chained exploit sequence.
  • ·The fixed version for CVE-2021-27102 is FTA_9_12_416 and later. Organizations still running FTA_9_12_411 or earlier are vulnerable. Note that FTA reached end of life on April 30, 2021.
  • ·TTPs used in the Accellion breach and in association with the DEWMODE web shell have become widely publicized, and threat actors may modify them to evade detection.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.