cancel
Showing results for 
Search instead for 
Did you mean: 
Nir_Zigler
F5 Employee
F5 Employee

Recently it’s been reported that multiple threat actors are successfully exploiting newly discovered CVEs found in Accellion FTA (File Transfer Appliance).


Accellion FTA is an enterprise grade secure file transfer solution – it is based on PHP and supports on-premise, private cloud or hosted configurations.

The vulnerabilities were discovered in December 2020 and a patch was issued quickly by Accellion on December 23rd 2020.

The CVEs are the following:

CVE-2021-27101 – Structured Query Language (SQL) injection via a crafted HOST header

CVE-2021-27102 – Operating system command execution via a local web service call

CVE-2021-27103 – Server-side request forgery via a crafted POST

CVE-2021-27104 – Operating system command execution via a crafted POST


Ideally, sensitive file sharing systems should be kept sufficiently restricted and network moderated – away from the access of public Internet. However, as it is a challenging task for organizations, many of them are failing to implement the required diligent steps to protect their digital assets.


FireEye has published a full forensic breakdown of the attack by threat actor UNC2546:

https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-exto...

From the report is seems the attack vector uses the SQLI vulnerability (CVE-2021-27101) to install the DEWMODE WebShell.


The payloads as shown in this attack are:

[.'))union(select(c_value)from(t_global)where(t_global.c_param)=('w1'))]

[.'))union(select(reverse(c_value))from(t_global)where(t_global.c_param)=('w1'))]

['))union(select(loc_id)from(net1.servers)where(proximity)=(0))]


These payload help the attacker extract a special key, which is subsequently used to interact with a page called sftp_account_edit.php.

This page is used to install a simple eval WebShell, which is then used to upload the more sophisticated DEWMODE WebShell.


Mitigation with Advanced WAF

Advanced WAF customers under any supported version are already protected against this vulnerability as exploitation attempts will be detected by SQL Injection and Command Execution attack signatures.


The SQL injection payloads have been tested against F5 WAF and found to be mitigated by the following attack signatures:

200002550 - SQL-INJ "end-quote UNION" (Parameter)

200000073 - SQL-INJ "UNION SELECT" (Parameter)

200002736 - SQL-INJ 'UNION SELECT (Parameter)

200002441 - SQL-INJ "reverse()" (Parameter)


0151T0000040KvcQAE.png


In addition, we have released dedicated attack signatures to provide coverage against the DEWMODE WebShell which was used extensively in this attack, in the form of the following signatures:

200019140 - DEWMODE WebShell upload attempt

200019141 - DEWMODE WebShell request attempt (2)

200019142 - Generic eval WebShell upload attempt

200019143 - DEWMODE WebShell detected

200019144 - DEWMODE WebShell request attempt (1)


To include the signatures mentioned in this article in your policy – make sure to enable SQL-Injection and Trojan/Backdoor/Spyware attack types.


The 3 other CVEs – concerning Operating System command execution and SSRF – can be mitigated with the Command Execution and Other Application Attacks signature sets.

Version history
Last update:
‎08-Mar-2021 11:08
Updated by:
Contributors