CISA Warns of Critical Vulnerabilities in StoneFly Storage Concentrator Affecting Critical Infrastructure
CISA has issued a critical alert for multiple vulnerabilities in StoneFly Storage Concentrator versions prior to 8.0.4.29, potentially allowing attackers to gain broad unauthorized access and execute arbitrary commands with root privileges.
CISA has released an advisory detailing a series of critical vulnerabilities affecting StoneFly Storage Concentrator products, versions prior to 8.0.4.29. These flaws, if successfully exploited, could grant attackers extensive unauthorized access, enable arbitrary command execution with root privileges, facilitate sensitive data theft, and allow malicious actions on behalf of legitimate users across interconnected systems. The affected products include both the physical Storage Concentrator (SC) and its virtual machine (SCVM) variants.
The vulnerabilities span several categories, including OS Command Injection, Use of Hard-coded Credentials, SQL Injection, and Cross-site Scripting. Specifically, CVE-2026-56415 and CVE-2026-56413, both OS Command Injection flaws, allow unauthenticated remote attackers to execute arbitrary commands with root-level privileges. CVE-2026-56415, found within the debug.pl script, is reachable via specially crafted HTTP requests. CVE-2026-56413 resides in the ms_service.pl service, which listens on TCP port 9000 and accepts custom network packets for device actions.
Another significant vulnerability, CVE-2026-50110, involves the use of hard-coded credentials. These credentials, embedded within a configuration file for numerous internal services such as databases, licensing, and replication, are encoded but can be reversed to plaintext. Successful exploitation of this vulnerability could provide an attacker with unauthorized access to multiple interconnected systems.
Furthermore, CVE-2026-55721, an SQL injection vulnerability, affects cookie values processed by the login.pl and debug.pl scripts. An unauthenticated remote attacker can manipulate these cookie values to extract sensitive information from the underlying database, including session tokens and password hashes.
The affected versions are as follows: Storage Concentrator and Storage Concentrator Virtual Machine versions prior to 8.0.4.22 are vulnerable to CVE-2026-56415, CVE-2026-55721, and CVE-2026-50040. Versions prior to 8.0.4.26 are affected by CVE-2026-50110. Finally, versions prior to 8.0.4.29 are vulnerable to CVE-2026-56413.
These vulnerabilities pose a severe risk to critical infrastructure sectors, including the Defense Industrial Base, Energy, Financial Services, Healthcare and Public Health, and Information Technology. The potential for broad unauthorized access and command execution with root privileges could lead to significant disruptions, data breaches, and compromise of essential services.
StoneFly recommends that users upgrade to Storage Concentrator version 8.0.4.29 or later to remediate these vulnerabilities. For additional support or questions, users are advised to contact StoneFly directly through their official contact page. The advisory highlights the critical need for organizations utilizing StoneFly products to apply the necessary patches promptly to mitigate these risks.