CVE REFERENCE | CRITICAL VULNERABILITY
Active ThreatUpdated 10 min read

CVE-2021-27101 Explained: Accellion FTA SQL Injection and the CLOP Ransomware Campaign

A CVSS 9.8 SQL injection in Accellion FTA (File Transfer Appliance) that fueled one of 2021's largest ransomware-driven data extortion campaigns. CLOP ransomware stole data from 100+ organizations including government agencies.

9.8
CVSS Score
100+
Organizations Affected
None
Auth Required
CLOP
Threat Actor

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

CVE-2021-27101 is one of four vulnerabilities discovered in Accellion's legacy File Transfer Appliance (FTA) product, a managed file transfer solution used by enterprises and government agencies for securely transferring large files. The SQL injection vulnerability received a CVSS score of 9.8 and allows unauthenticated attackers to execute arbitrary commands on the appliance.

Beginning in December 2020, the CLOP ransomware group (FIN11/UNC2546) exploited CVE-2021-27101 and three companion vulnerabilities in a coordinated campaign against Accellion FTA customers worldwide. Unlike traditional ransomware attacks that encrypt files in place, CLOP used the access to exfiltrate sensitive files and then extort organizations through their leak site, threatening to publish stolen data unless ransoms were paid.

The Vulnerability and Companion CVEs

CVE-2021-27101 is a SQL injection vulnerability in the Accellion FTA web application. The FTA's file management interfaces fail to properly sanitize input before incorporating it into SQL database queries. By injecting SQL syntax into vulnerable parameters, an unauthenticated attacker can execute arbitrary SQL commands, and through database server extension mechanisms, escalate to operating system command execution.

Three companion vulnerabilities were discovered and exploited alongside CVE-2021-27101:

CVE-2021-27102 is an OS command execution vulnerability that, when chained with the SQL injection, provides a reliable path from database access to OS shell.

CVE-2021-27103 is a server-side request forgery (SSRF) vulnerability enabling internal network reconnaissance from the FTA appliance.

CVE-2021-27104 is another OS command execution vulnerability providing an additional pathway to RCE.

The combination of these four vulnerabilities, particularly the SQL injection to command execution chain of CVE-2021-27101 and CVE-2021-27102, provided reliable unauthenticated RCE on any Accellion FTA appliance running versions before the patch release. Affected versions include FTA 9_12_432 and earlier.

Accellion FTA was an end-of-life product at the time of exploitation, with the vendor having announced its replacement (Kiteworks) years earlier. Many customers continued to run FTA because migration to Kiteworks required significant effort.

1

Identify Accellion FTA instances

Scan for Accellion FTA web portals. The FTA has a distinctive login interface and identifiable URL patterns. Known FTA customers were targeted selectively based on their public association with the product.

2

Exploit CVE-2021-27101 SQL injection

Send a crafted HTTP request to a vulnerable FTA endpoint with SQL injection payloads in input parameters. The unsanitized input reaches the database query, enabling arbitrary SQL execution.

3

Chain to OS command execution (CVE-2021-27102)

From the database access achieved via SQL injection, invoke OS command execution capability through database server extensions or stored procedure mechanisms, obtaining an OS shell on the FTA appliance.

4

Deploy DEWMODE web shell

Install DEWMODE, a PHP web shell specifically developed for the Accellion campaign, on the FTA appliance. DEWMODE provides persistent access for file listing, downloading, and command execution.

5

Exfiltrate files

Use DEWMODE to browse and download files that organizations had transferred through the FTA appliance, which often included sensitive documents, financial records, legal files, healthcare data, and government documents.

6

Extort organizations

Contact victim organizations threatening to publish stolen files on CLOP's leak site unless ransom was paid. Unlike encryption ransomware, the attack was pure data extortion with no operational disruption, making traditional backup-based recovery irrelevant.

The CLOP Campaign: Supply Chain Breach Without Encryption

The Accellion FTA campaign represented a novel approach to ransomware-adjacent extortion: targeting a file transfer platform used by dozens of high-value organizations simultaneously, rather than attacking each organization individually. Because Accellion FTA was the mechanism through which organizations transferred their most sensitive files, the data exfiltrated often included material of exceptional sensitivity.

Over 100 organizations were ultimately confirmed as CLOP victims in the Accellion campaign. The victim list included the Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), the Washington State Auditor's Office (exposing data on 1.4 million unemployment insurance claimants), US grocery chain Kroger (exposing employee HR and pharmacy data), Shell (exposing employee and business partner data), the University of California system, Stanford University, and multiple major law firms.

The supply-chain characteristic of the attack, targeting a platform rather than individual organizations, meant that organizations with strong security postures could still be victimized if they were customers of a vulnerable service. This foreshadowed subsequent supply chain attacks including the Kaseya VSA breach and others.

The threat actors who compromised Accellion FTA appliances use the vulnerabilities to install a web shell called DEWMODE, through which they exfiltrate data from underlying FTA file systems.

Mandiant/FireEye Intelligence Report, February 2021
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Patching and Responding to CVE-2021-27101

Accellion released patches in January 2021 and later announced accelerated end-of-life for FTA, strongly urging migration to Kiteworks. The following steps address both immediate remediation and breach response.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

The Accellion FTA campaign demonstrated that end-of-life software running in sensitive network positions represents existential risk, not just operational risk. FTA was announced end-of-life years before the breach. Organizations kept running it because migration was difficult. The result was that the most sensitive files they transferred, the ones with the highest security requirements, were exfiltrated by a ransomware group.

Data extortion without encryption is an increasingly common tactic because it is immune to the backup-based recovery that neutralizes encryption ransomware. When the attacker has your files, restoring from backup does not change the extortion calculus. Prevention of exfiltration, through timely patching, network monitoring, and data loss prevention, is the only effective defense.

The supply chain targeting model used against Accellion FTA is now standard operating procedure for sophisticated threat actors. The question to ask about every platform your organization uses for sensitive data transfer is: what happens if that platform's security fails? If the answer is mass exfiltration of your most sensitive files, the risk treatment requires more than patch management.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is CVE-2021-27101 and how did CLOP exploit it?

CVE-2021-27101 is a CVSS 9.8 unauthenticated SQL injection in Accellion FTA, a legacy managed file transfer appliance. CLOP ransomware (FIN11/UNC2546) chained this vulnerability with CVE-2021-27102 (OS command execution) to achieve RCE on FTA devices, then installed the DEWMODE PHP web shell to exfiltrate files. Over 100 organizations were victimized, including the Reserve Bank of New Zealand, ASIC, the Washington State Auditor's Office, Shell, Kroger, and multiple universities. Rather than encrypting files, CLOP threatened to publish stolen data unless ransoms were paid.

How do I fix CVE-2021-27101?

Apply Accellion's January 2021 patch (FTA version 9_12_444 or later) or, better, migrate from the end-of-life FTA product to a supported managed file transfer solution. If running a vulnerable version, take FTA offline immediately. Search for DEWMODE web shell indicators in FTA filesystem and Apache access logs per Mandiant's February 2021 IoC report. Inventory all files transferred through FTA during the exposure window and assess breach notification obligations.

Why couldn't organizations recover from this attack using backups?

CLOP's Accellion attack was pure data extortion, they exfiltrated files and threatened to publish them publicly, but did not encrypt anything. This makes traditional backup-based ransomware recovery completely ineffective: restoring from backup does not un-steal the files already in CLOP's possession. Once sensitive documents are in an attacker's hands, the only leverage is the extortion payment decision. Prevention of exfiltration is the only effective defense, which requires timely patching, network monitoring for unusual outbound data transfers, and data loss prevention controls.

What was the DEWMODE web shell used in the Accellion FTA attacks?

DEWMODE is a custom PHP web shell developed by the CLOP ransomware group (FIN11/UNC2546) specifically for the Accellion FTA campaign. Once installed on a vulnerable FTA appliance via the CVE-2021-27101 SQL injection chain, DEWMODE provides attackers with a persistent, browser-accessible interface for browsing the FTA file system, downloading stored files, and executing commands. Mandiant published specific DEWMODE indicators of compromise in their February 2021 analysis, including file names, hashes, and access log patterns associated with DEWMODE activity on compromised appliances.

Which major organizations were affected by the Accellion FTA breach?

Over 100 organizations were confirmed victims of the CLOP Accellion FTA campaign. Named victims include the Reserve Bank of New Zealand (central bank data exposed), the Australian Securities and Investments Commission (ASIC), the Washington State Auditor's Office (1.4 million unemployment claimant records exposed), Kroger (employee and pharmacy data), Shell (employee and business partner data), Qualys, Bombardier, the University of California system, Stanford University Medical Center, and multiple law firms. The breadth reflects the supply-chain nature of the attack: targeting the file transfer platform rather than each organization individually.

Should organizations still running Accellion FTA migrate to a different platform?

Yes, immediately. Accellion FTA reached end-of-life status, and the vendor (now Kiteworks) strongly urged all customers to migrate to its replacement platform following the 2021 exploitation campaign. Running an end-of-life managed file transfer appliance means no future security patches will be available for any newly discovered vulnerabilities, a situation that puts organizations at permanent risk. The Accellion breach itself was partly a product-lifecycle failure: many organizations ran FTA past its supported lifetime because migration was operationally complex, and paid the price when it became a mass exploitation target.

Sources & references

  1. NVD
  2. CISA Alert AA21-055A
  3. FireEye/Mandiant Report

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.