IM
IronMonkey Threat Research
‹ Back to ICS Advisories

StoneFly Storage Concentrator

CRITICAL
CVSS 10.0
Date 2026-06-30T06:00:00+00:00
Source cisa-csaf
Published by CISA

// Description

Successful exploitation of these vulnerabilities could allow attackers to gain broad unauthorized access, execute arbitrary commands with root privileges, steal sensitive data, and perform actions on behalf of legitimate users across interconnected systems.

// Vulnerabilities (5)

CVE ID CVSS Score Severity Description
CVE-2026-56415 10.0 critical
Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level privileges on the underlying system.
CVE-2026-55721 9.3 critical
Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incorporated directly into database queries without adequate sanitization, allowing an unauthenticated remote attacker to manipulate those queries and extract sensitive information from the underlying database, including session tokens, password hashes, and stored secret keys.
CVE-2026-50110 9.2 critical
Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of internal services, including database accounts, licensing, replication services, and third-party integrations, meaning successful exploitation of this vulnerability could provide an attacker with unauthorized access to multiple interconnected systems.
CVE-2026-50040 6.1 medium
Storage Concentrator (SC & SCVM) is vulnerable to reflected cross-site scripting (XSS) due to unsanitized content being echoed back in 404 error pages. An attacker can craft a malicious URL that, when visited by an authenticated user, causes arbitrary script content to execute within the victim's browser session in the context of the application. This could be leveraged to steal session cookies, redirect users, or perform unauthorized actions on behalf of the victim.
CVE-2026-56413 10.0 critical
Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted packet containing a malicious payload that is processed without adequate sanitization, resulting in arbitrary command execution with root-level privileges.

// Affected Products (1)

Vendor Product Asset Type Purdue Level Firmware
StoneFly Unknown rtu
L1
--

// Remediations (2)

Patch: StoneFly recommends that users upgrade to Storage Concentrator version 8.0.4.29 or later to remediat
StoneFly recommends that users upgrade to Storage Concentrator version 8.0.4.29 or later to remediate these vulnerabilities.
Mitigation: For additional questions or support, users may contact StoneFly at https://stonefly.com/contact-us/.
For additional questions or support, users may contact StoneFly at https://stonefly.com/contact-us/.

// References