CVE-2021-27103
published 2021-02-16CVE-2021-27103: Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later.
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2021-11-17
Exploited in the wild
EPSS
11.41%
95.5th percentile
Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| accellion | fta | < 9_12_416 | 9_12_416 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect CVE-2021-27103 exploitation by monitoring for crafted POST requests to wmProgressstat.html on Accellion FTA instances; this endpoint is the attack vector for the SSRF vulnerability. ↗
- →Hunt for the DEWMODE web shell on compromised Accellion FTA servers; it was used post-exploitation to browse the file system and exfiltrate data. ↗
- →Check for the DEWMODE web shell presence under /home/seos/courier/ on FTA servers as part of post-exploitation forensics. ↗
- →Monitor Accellion FTA servers for log deletion activity, which attackers used to cover their tracks after exploitation. ↗
- →CVE-2021-27103 affects FTA versions 9_12_370 and earlier; flag any FTA instance not yet patched to 9_12_380 or later as vulnerable. ↗
- ·CVE-2021-27103 affects Accellion FTA versions 9_12_370 and earlier; the fix is version 9_12_380 and later. Note that NVD lists the affected version as 9_12_411 and fixed as FTA_9_12_416, reflecting a later patch wave — organizations should apply the highest available patch. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j665-969m-hg73: Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat
ghsa_unreviewed·2022-05-24
CVE-2021-27103 [CRITICAL] CWE-918 GHSA-j665-969m-hg73: Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat
Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later.
VulnCheck
Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-27103 [CRITICAL] CWE-918 Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability
Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability
Accellion FTA contains a server-side request forgery (SSRF) vulnerability exploited via a crafted POST request to wmProgressstat.html.
Affected: Accellion FTA
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://unit42.paloaltonetworks.com/clop-ransomware/; https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti; https://cisa.gov/news-events/cybersecurity-advisories/aa21-055a; https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cybersecurityworks.com/howdymana
CISA
Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2021-27103 [CRITICAL] CWE-918 Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability
Vulnerability: Accellion FTA Server-Side Request Forgery (SSRF) Vulnerability
Affected: Accellion FTA
Accellion FTA contains a server-side request forgery (SSRF) vulnerability exploited via a crafted POST request to wmProgressstat.html.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-27103
Remediation Due Date: 2021-11-17
No detection rules found.
No public exploits indexed.
Fortinet
Ransomware Roundup - Cl0p | FortiGuard Labs
blogs_fortinet·2023-07-21·CVSS 9.8
[CRITICAL] Ransomware Roundup - Cl0p | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Ransomware Roundup - Cl0p
By Shunichi Imano and James Slaughter | July 21, 2023
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This edition of the Ransomware Roundup covers the Cl0p ransomware.
Affected platforms: Microsoft Windows, Linux
Impacted parties: Microsoft Windows, Linux Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption and not to leak stolen files
Severity level: High
Recently, the Cl0p ransomware group received
Tenable
FAQ for MOVEit Transfer Vulnerabilities and CL0P Ransomware Gang
blogs_tenable·2023-06-16
FAQ for MOVEit Transfer Vulnerabilities and CL0P Ransomware Gang
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sentinelone
Cl0P
blogs_sentinelone·2022-11-30
Cl0P
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Tenable
Behind the Scenes: How We Picked 2021’s Top Vulnerabilities – and What We Left Out
blogs_tenable·2022-03-11
Behind the Scenes: How We Picked 2021’s Top Vulnerabilities – and What We Left Out
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01
## Table of Contents
Overview
Directive Scope
CISA Catalog of Known Exploited Vulnerabilities
Detect CISAs Vulnerabilities Using Qualys VMDR
Remediation
Federal Enterprises and Agencies Can Act Now
Summary
Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01 , “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate
Qualys
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
blogs_qualys·2021-11-09
Qualys Response to CISA Alert: Binding Operational Directive 22-01 | Qualys
#### Table of Contents
- Overview
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISAs Vulnerabilities Using Qualys VMDR
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
Start your VMDR 30-day, no-cost trial today
## Overview
On November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directive 22-01, “Reducing the Significant Risk of Known Exploited Vulnerabilities.” This directive recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
blogs_qualys·2021-07-29·CVSS 10.0
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
#### Table of Contents
- Top Routinely Exploited Vulnerabilities
- Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
- Recommendations
- Remediation and Mitigation
- Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the large
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities
blogs_qualys·2021-07-29·CVSS 9.1
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities
## Table of Contents
Top Routinely Exploited Vulnerabilities
Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
Recommendations
Remediation and Mitigation
Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest numbe
Unit42
Threat Assessment: Clop Ransomware
blogs_unit42·2021-04-13
Threat Assessment: Clop Ransomware
## Executive Summary
Unit 42 researchers have observed an uptick in Clop ransomware activity affecting the wholesale and retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare and high tech industries in the U.S., Europe, Canada, Asia Pacific and Latin America. Clop also leverages double extortion practices and hosts a leak site, where the number of victims has grown significantly since its launch in March 2020. Clop has been commonly observed being delivered as the final-stage payload of a malicious spam campaign carried out by the financially motivated actor TA505. This ransomware has also been linked to threat actors behind the recent global zero-day attacks o
Unit42
Threat Assessment: Clop Ransomware
blogs_unit42·2021-04-13
Threat Assessment: Clop Ransomware
Threat Research Center
Threat Actor Groups
Ransomware
## Threat Assessment: Clop Ransomware
Doel Santos
Published: April 13, 2021
Malware
Ransomware
Threat Actor Groups
Chubby Scorpius
Clop
Ransomware threat report
## Executive Summary
Unit 42 researchers have observed an uptick in Clop ransomware activity affecting the wholesale and retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare and high tech industries in the U.S., Europe, Canada, Asia Pacific and Latin America. Clop also leverages double extortion practices and hosts a leak site, where the number of victims has grown significantly since its launch in March 2020. Clop has been commonly o
Tenable
Accellion Patches Four Vulnerabilities in File Transfer Appliance (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104)
blogs_tenable·2021-02-19·CVSS 9.8
[CRITICAL] Accellion Patches Four Vulnerabilities in File Transfer Appliance (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Huntress
Accellion Data Breach: What Happened, Impact, and Lessons | Huntress
blogs_huntress
Accellion Data Breach: What Happened, Impact, and Lessons | Huntress
## Accellion Data Breach
Published: 10/31/2025
Written by: Monica Burgess
The Accellion data breach was a massive supply-chain attack that exploited a legacy file transfer product. This incident impacted hundreds of organizations worldwide, including universities, government agencies, and major corporations. Attackers stole and leaked sensitive data, leading to significant financial and reputational damage for Accellion's customers and their clients. It’s a classic, if not terrifying, example of how a single vulnerability can have a massive ripple effect.
## Accellion Data Breach Explained: What Happened?
The Accellion data breach involved threat actors exploiting multiple zero-day vulnerabilities in the company's 20-year-old legacy File Transfer Appliance (FTA). Starting in December
Recorded Future
Understanding Accellion’s FTA Appliance Compromise, DEWMODE, and Its Supply Chain Impact
blogs_recorded_future
Understanding Accellion’s FTA Appliance Compromise, DEWMODE, and Its Supply Chain Impact
## Understanding Accellion’s FTA Appliance Compromise, DEWMODE, and Its Supply Chain Impact
This report provides a high-level overview of the Accellion File Transfer Appliance compromise and analysis of the DEWMODE webshell employed in the resulting breaches. Insikt Group used open source research (OSINT), PolySwarm, malware analysis, and the Recorded Future® Platform to execute this research. The target audience of this research includes day-to-day security practitioners as well executive decision-makers concerned about targeting of third-party systems and software.
## Executive Summary
The compromise of the Accellion File Transfer Appliance (FTA) file sharing service impacting nearly 100 clients of the company was enabled primarily by 4 zero-day vulnerabilities in the tool that allowe
Recorded Future
Understanding Accellion’s FTA Appliance Compromise, DEWMODE, and Its Supply Chain Impact
blogs_recorded_future
Understanding Accellion’s FTA Appliance Compromise, DEWMODE, and Its Supply Chain Impact
# Understanding Accellion’s FTA Appliance Compromise, DEWMODE, and Its Supply Chain Impact
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
This report provides a high-level overview of the Accellion File Transfer Appliance compromise and analysis of the DEWMODE webshell employed in the resulting breaches. Insikt Group used open source research (OSINT), PolySwarm, malware analysis, and the Recorded Future® Platform to execute this research. The target audience of this research includes day-to-day security practitioners as well executive decision-makers concerned about targeting of third-party systems and software.
#### Executive Summary
The compromise of the Accellion File Transfer Appliance (FTA)
Sentinelone
Cl0P
blogs_sentinelone
Cl0P
# Cl0P Ransomware: In-Depth Analysis, Detection, and Mitigation
## What Is Cl0P Ransomware?
CL0P ransomware emerged in early 2019 and is associated with the greater TA505 threat group. They continue to be active as of January 2022. High-profile attacks have highlighted their aggressive campaigns against large enterprises. Malicious payloads are often digitally signed as well as employing multiple controls to avoid analysis.
Some CL0P examples are explicitly designed to not execute on Russian language systems. As is the case with other prominent ransomware families, CSimilar to Maze and NetWalker, the actors behind the CL0P ransomware have been publicly posting victim data. This practice began in early 2020 and continues to this date.
In 2024, Cl0p was responsible for widespread exploit
2021-02-16
Published
2021-11-03
Added to CISA KEV
Exploited in the wild