Security Experts:

Connect with us

Hi, what are you looking for?



Accellion Patches Flaws Found During Facebook Hack

CERT/CC has published an advisory detailing the vulnerabilities uncovered by a researcher in February while trying to find security holes in one of Facebook’s servers.

CERT/CC has published an advisory detailing the vulnerabilities uncovered by a researcher in February while trying to find security holes in one of Facebook’s servers.

While hunting for flaws that he could report to Facebook’s bug bounty program, security consultant Orange Tsai came across a domain called The domain hosted a login interface for an Accellion File Transfer Appliance, a device used by enterprises for secure file transfers.

An analysis revealed that the Accellion product had been plagued by 7 vulnerabilities, one of which allowed Tsai to upload a web shell to the Facebook server. Facebook said it stopped using the vulnerable software following the incident.

CERT/CC published an advisory on Friday to detail the vulnerabilities found by Tsai in the Accellion File Transfer Appliance. The flaw leveraged by the expert to upload a web shell is a SQL injection (CVE-2016-2351) caused by the improper handling of data in the “client_id” parameter in “/home/seos/courier/security_key2.api”

Another command injection flaw found by Tsai (CVE-2016-2352) is caused by unsafe handling of restricted users utilizing YUM_CLIENT. “This allows a restricted user to execute any command via root permission,” CERT said in its advisory.

The researcher also discovered three cross-site scripting (XSS) vulnerabilities (CVE-2016-2350) in the move_partition_frame.html, getimageajax.php and wmInfo.html web pages.

Finally, Tsai found a couple of local privilege escalation issues (CVE-2016-2353) related to incorrect default permissions.

“By default, the appliance allows a restricted user to add their SSH key to an alternate user group with additional permissions,” CERT said.

Accellion patched these security holes with the release of the FTA_9_12_40 update in February. The company told SecurityWeek that it proactively reached out to customers at that time via email and phone to inform them of the vulnerability and the patch.

This was not the first time researchers found vulnerabilities in Accellion’s File Transfer Appliance. Security firm Rapid7 reported in 2010 that it had found several flaws that could have led to a remote root compromise.

In 2015, Rapid7 once again reported discovering flaws in the Accellion product, including file disclosure and remote command execution issues. When he discovered the presence of the Accellion software on Facebook’s server, Tsai attempted to exploit these vulnerabilities, but he determined that they had already been patched in Facebook’s installation.

However, he discovered that the same Facebook server had previously been accessed on at least two other occasions, including once in July 2015, right before Rapid7 disclosed the existence of the bugs. Facebook said another researcher had also been analyzing the server targeted by Tsai.

*Updated with information from Accellion regarding the availability of the patch

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet