Security Experts:

Connect with us

Hi, what are you looking for?



Accellion Patches Flaws Found During Facebook Hack

CERT/CC has published an advisory detailing the vulnerabilities uncovered by a researcher in February while trying to find security holes in one of Facebook’s servers.

CERT/CC has published an advisory detailing the vulnerabilities uncovered by a researcher in February while trying to find security holes in one of Facebook’s servers.

While hunting for flaws that he could report to Facebook’s bug bounty program, security consultant Orange Tsai came across a domain called The domain hosted a login interface for an Accellion File Transfer Appliance, a device used by enterprises for secure file transfers.

An analysis revealed that the Accellion product had been plagued by 7 vulnerabilities, one of which allowed Tsai to upload a web shell to the Facebook server. Facebook said it stopped using the vulnerable software following the incident.

CERT/CC published an advisory on Friday to detail the vulnerabilities found by Tsai in the Accellion File Transfer Appliance. The flaw leveraged by the expert to upload a web shell is a SQL injection (CVE-2016-2351) caused by the improper handling of data in the “client_id” parameter in “/home/seos/courier/security_key2.api”

Another command injection flaw found by Tsai (CVE-2016-2352) is caused by unsafe handling of restricted users utilizing YUM_CLIENT. “This allows a restricted user to execute any command via root permission,” CERT said in its advisory.

The researcher also discovered three cross-site scripting (XSS) vulnerabilities (CVE-2016-2350) in the move_partition_frame.html, getimageajax.php and wmInfo.html web pages.

Finally, Tsai found a couple of local privilege escalation issues (CVE-2016-2353) related to incorrect default permissions.

“By default, the appliance allows a restricted user to add their SSH key to an alternate user group with additional permissions,” CERT said.

Accellion patched these security holes with the release of the FTA_9_12_40 update in February. The company told SecurityWeek that it proactively reached out to customers at that time via email and phone to inform them of the vulnerability and the patch.

This was not the first time researchers found vulnerabilities in Accellion’s File Transfer Appliance. Security firm Rapid7 reported in 2010 that it had found several flaws that could have led to a remote root compromise.

In 2015, Rapid7 once again reported discovering flaws in the Accellion product, including file disclosure and remote command execution issues. When he discovered the presence of the Accellion software on Facebook’s server, Tsai attempted to exploit these vulnerabilities, but he determined that they had already been patched in Facebook’s installation.

However, he discovered that the same Facebook server had previously been accessed on at least two other occasions, including once in July 2015, right before Rapid7 disclosed the existence of the bugs. Facebook said another researcher had also been analyzing the server targeted by Tsai.

*Updated with information from Accellion regarding the availability of the patch

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.