CVE-2021-27101 Explained: Accellion FTA SQL Injection and the CLOP Ransomware Campaign
A CVSS 9.8 SQL injection in Accellion FTA (File Transfer Appliance) that fueled one of 2021's largest ransomware-driven data extortion campaigns. CLOP ransomware stole data from 100+ organizations including government agencies.
Founder & Cybersecurity Evangelist
CVE-2021-27101 is one of four vulnerabilities discovered in Accellion's legacy File Transfer Appliance (FTA) product, a managed file transfer solution used by enterprises and government agencies for securely transferring large files. The SQL injection vulnerability received a CVSS score of 9.8 and allows unauthenticated attackers to execute arbitrary commands on the appliance.
Beginning in December 2020, the CLOP ransomware group (FIN11/UNC2546) exploited CVE-2021-27101 and three companion vulnerabilities in a coordinated campaign against Accellion FTA customers worldwide. Unlike traditional ransomware attacks that encrypt files in place, CLOP used the access to exfiltrate sensitive files and then extort organizations through their leak site — threatening to publish stolen data unless ransoms were paid.
The Vulnerability and Companion CVEs
CVE-2021-27101 is a SQL injection vulnerability in the Accellion FTA web application. The FTA's file management interfaces fail to properly sanitize input before incorporating it into SQL database queries. By injecting SQL syntax into vulnerable parameters, an unauthenticated attacker can execute arbitrary SQL commands — and through database server extension mechanisms, escalate to operating system command execution.
Three companion vulnerabilities were discovered and exploited alongside CVE-2021-27101:
CVE-2021-27102 is an OS command execution vulnerability that, when chained with the SQL injection, provides a reliable path from database access to OS shell.
CVE-2021-27103 is a server-side request forgery (SSRF) vulnerability enabling internal network reconnaissance from the FTA appliance.
CVE-2021-27104 is another OS command execution vulnerability providing an additional pathway to RCE.
The combination of these four vulnerabilities — particularly the SQL injection to command execution chain of CVE-2021-27101 and CVE-2021-27102 — provided reliable unauthenticated RCE on any Accellion FTA appliance running versions before the patch release. Affected versions include FTA 9_12_432 and earlier.
Accellion FTA was an end-of-life product at the time of exploitation, with the vendor having announced its replacement (Kiteworks) years earlier. Many customers continued to run FTA because migration to Kiteworks required significant effort.
Identify Accellion FTA instances
Scan for Accellion FTA web portals. The FTA has a distinctive login interface and identifiable URL patterns. Known FTA customers were targeted selectively based on their public association with the product.
Exploit CVE-2021-27101 SQL injection
Send a crafted HTTP request to a vulnerable FTA endpoint with SQL injection payloads in input parameters. The unsanitized input reaches the database query, enabling arbitrary SQL execution.
Chain to OS command execution (CVE-2021-27102)
From the database access achieved via SQL injection, invoke OS command execution capability through database server extensions or stored procedure mechanisms, obtaining an OS shell on the FTA appliance.
Deploy DEWMODE web shell
Install DEWMODE — a PHP web shell specifically developed for the Accellion campaign — on the FTA appliance. DEWMODE provides persistent access for file listing, downloading, and command execution.
Exfiltrate files
Use DEWMODE to browse and download files that organizations had transferred through the FTA appliance — which often included sensitive documents, financial records, legal files, healthcare data, and government documents.
Extort organizations
Contact victim organizations threatening to publish stolen files on CLOP's leak site unless ransom was paid. Unlike encryption ransomware, the attack was pure data extortion with no operational disruption — making traditional backup-based recovery irrelevant.
The CLOP Campaign: Supply Chain Breach Without Encryption
The Accellion FTA campaign represented a novel approach to ransomware-adjacent extortion: targeting a file transfer platform used by dozens of high-value organizations simultaneously, rather than attacking each organization individually. Because Accellion FTA was the mechanism through which organizations transferred their most sensitive files, the data exfiltrated often included material of exceptional sensitivity.
Over 100 organizations were ultimately confirmed as CLOP victims in the Accellion campaign. The victim list included the Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), the Washington State Auditor's Office (exposing data on 1.4 million unemployment insurance claimants), US grocery chain Kroger (exposing employee HR and pharmacy data), Shell (exposing employee and business partner data), the University of California system, Stanford University, and multiple major law firms.
The supply-chain characteristic of the attack — targeting a platform rather than individual organizations — meant that organizations with strong security postures could still be victimized if they were customers of a vulnerable service. This foreshadowed subsequent supply chain attacks including the Kaseya VSA breach and others.
“The threat actors who compromised Accellion FTA appliances use the vulnerabilities to install a web shell called DEWMODE, through which they exfiltrate data from underlying FTA file systems.”
— Mandiant/FireEye Intelligence Report, February 2021
Patching and Responding to CVE-2021-27101
Accellion released patches in January 2021 and later announced accelerated end-of-life for FTA, strongly urging migration to Kiteworks. The following steps address both immediate remediation and breach response.
Upgrade or decommission Accellion FTA immediately
Apply patches released January 2021 (FTA version 9_12_444 or later). Given that FTA is end-of-life, the correct long-term action is migration to a supported managed file transfer platform. Accellion provided migration assistance to Kiteworks for affected customers.
Take FTA offline pending patching if still running vulnerable version
If running a vulnerable FTA version and immediate patching is not possible, take the appliance offline. The risk of continued operation vastly outweighs the operational disruption of temporary unavailability.
Search for DEWMODE web shell indicators
Search the FTA filesystem for DEWMODE — a PHP file with a specific code structure. Check Apache web server logs for POST requests to unusual PHP files not in the standard FTA application. Mandiant published specific DEWMODE indicators in their February 2021 report.
Inventory files transferred through FTA during the exposure window
Review FTA transfer logs to identify every file transferred through the appliance during the period of potential compromise. Treat all transferred files as potentially exfiltrated. Assess the sensitivity and regulatory implications of each.
Evaluate breach notification obligations
Files exfiltrated through FTA may include personal data subject to GDPR, HIPAA, state breach notification laws, or sector-specific regulations. Legal counsel should assess notification obligations based on the inventory of exfiltrated files. Many CLOP victims faced regulatory scrutiny for delayed or inadequate notification.
The bottom line
The Accellion FTA campaign demonstrated that end-of-life software running in sensitive network positions represents existential risk — not just operational risk. FTA was announced end-of-life years before the breach. Organizations kept running it because migration was difficult. The result was that the most sensitive files they transferred — the ones with the highest security requirements — were exfiltrated by a ransomware group.
Data extortion without encryption is an increasingly common tactic because it is immune to the backup-based recovery that neutralizes encryption ransomware. When the attacker has your files, restoring from backup does not change the extortion calculus. Prevention of exfiltration — through timely patching, network monitoring, and data loss prevention — is the only effective defense.
The supply chain targeting model used against Accellion FTA is now standard operating procedure for sophisticated threat actors. The question to ask about every platform your organization uses for sensitive data transfer is: what happens if that platform's security fails? If the answer is mass exfiltration of your most sensitive files, the risk treatment requires more than patch management.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.