Connect with us

Hi, what are you looking for?



Accellion Patches Flaws Found During Facebook Hack

CERT/CC has published an advisory detailing the vulnerabilities uncovered by a researcher in February while trying to find security holes in one of Facebook’s servers.

CERT/CC has published an advisory detailing the vulnerabilities uncovered by a researcher in February while trying to find security holes in one of Facebook’s servers.

While hunting for flaws that he could report to Facebook’s bug bounty program, security consultant Orange Tsai came across a domain called The domain hosted a login interface for an Accellion File Transfer Appliance, a device used by enterprises for secure file transfers.

An analysis revealed that the Accellion product had been plagued by 7 vulnerabilities, one of which allowed Tsai to upload a web shell to the Facebook server. Facebook said it stopped using the vulnerable software following the incident.

CERT/CC published an advisory on Friday to detail the vulnerabilities found by Tsai in the Accellion File Transfer Appliance. The flaw leveraged by the expert to upload a web shell is a SQL injection (CVE-2016-2351) caused by the improper handling of data in the “client_id” parameter in “/home/seos/courier/security_key2.api”

Another command injection flaw found by Tsai (CVE-2016-2352) is caused by unsafe handling of restricted users utilizing YUM_CLIENT. “This allows a restricted user to execute any command via root permission,” CERT said in its advisory.

The researcher also discovered three cross-site scripting (XSS) vulnerabilities (CVE-2016-2350) in the move_partition_frame.html, getimageajax.php and wmInfo.html web pages.

Finally, Tsai found a couple of local privilege escalation issues (CVE-2016-2353) related to incorrect default permissions.

“By default, the appliance allows a restricted user to add their SSH key to an alternate user group with additional permissions,” CERT said.

Advertisement. Scroll to continue reading.

Accellion patched these security holes with the release of the FTA_9_12_40 update in February. The company told SecurityWeek that it proactively reached out to customers at that time via email and phone to inform them of the vulnerability and the patch.

This was not the first time researchers found vulnerabilities in Accellion’s File Transfer Appliance. Security firm Rapid7 reported in 2010 that it had found several flaws that could have led to a remote root compromise.

In 2015, Rapid7 once again reported discovering flaws in the Accellion product, including file disclosure and remote command execution issues. When he discovered the presence of the Accellion software on Facebook’s server, Tsai attempted to exploit these vulnerabilities, but he determined that they had already been patched in Facebook’s installation.

However, he discovered that the same Facebook server had previously been accessed on at least two other occasions, including once in July 2015, right before Rapid7 disclosed the existence of the bugs. Facebook said another researcher had also been analyzing the server targeted by Tsai.

*Updated with information from Accellion regarding the availability of the patch

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.