SQL Injection Vulnerability in Storage Concentrator by StoneFly
CVE-2026-55721
9.2CRITICAL
What is CVE-2026-55721?
The Storage Concentrator and its virtual machine counterpart are susceptible to SQL injection due to improper handling of cookie values within login and debug scripts. An attacker can exploit this flaw by sending crafted cookie data, which is directly inserted into database queries without proper validation. This can lead to unauthorized access to sensitive information, including session tokens, password hashes, and secret keys stored in the database, significantly compromising system security.
Affected Version(s)
Storage Concentrator 0 < 8.0.4.22
Storage Concentrator Virtual Machine 0 < 8.0.4.22
Storage Concentrator 8.0.4.29
References
CVSS V4
Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
David Yesland of Rhino Security Labs reported this vulnerability to CISA.
