TL;DR
CISA published an advisory for five StoneFly Storage Concentrator vulnerabilities on 30 June 2026. Two rate a maximum CVSS score of 10.0. Both let an unauthenticated attacker run commands as root. No exploitation in the wild has been confirmed.
Why It Matters
The Storage Concentrator manages enterprise storage and replication. So it sits deep inside data infrastructure. CISA links affected devices to energy, healthcare, financial, and defense sectors. Many operators run these appliances behind SCADA historians and backup stores. A root compromise there exposes stored data and connected systems. Attackers could wipe backups, plant ransomware, or pivot across the network. These StoneFly Storage Concentrator flaws therefore carry serious weight.
How the Attacks Work
Unauthenticated command injection
CVE-2026-56413 lives in the ms_service.pl service on TCP port 9000. It accepts network packets without proper sanitization. So a remote attacker can run root commands with one crafted packet. CVE-2026-56415 sits in the debug.pl script and needs no login. A malicious HTTP request there also yields root command execution. Both flaws score a perfect 10.0.
SQL injection and stolen secrets
CVE-2026-55721 abuses cookie values in the login.pl and debug.pl scripts. The code drops those values straight into database queries. As a result, an unauthenticated attacker can extract session tokens, password hashes, and secret keys. Those stolen secrets can then unlock deeper access. This flaw rates CVSS 9.3.
Hardcoded credentials
CVE-2026-50110 exposes hardcoded credentials inside a configuration file. The values are encoded, yet the encoding reverses to plaintext. They cover database, licensing, replication, and third-party accounts. So one leaked file can chain into several systems. This flaw rates CVSS 9.2.
Reflected XSS
CVE-2026-50040 echoes unsanitized input on 404 error pages. So a crafted link can run script in a logged-in user’s browser. It rates CVSS 6.1.
Affected Versions
The debug.pl injection, SQL injection, and XSS affect builds before 8.0.4.22. Meanwhile, the hardcoded-credentials bug affects builds before 8.0.4.26. The port 9000 injection affects builds before 8.0.4.29. Both the appliance and the virtual machine share these flaws.
Patch and Mitigation
StoneFly recommends upgrading to Storage Concentrator 8.0.4.29 or later. So apply that build without delay. Until you patch, keep the device off the public internet. Also restrict access to the web interface and TCP port 9000. Finally, rotate any credentials the configuration file may have exposed. Watch device logs for signs of misuse as well.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.