Command Injection Vulnerability in Storage Concentrator by StoneFly
CVE-2026-56413
10CRITICAL
What is CVE-2026-56413?
The Storage Concentrator and its Virtual Machine version from StoneFly are susceptible to a command injection vulnerability in the ms_service.pl service. This service, which operates on TCP port 9000, is designed to accept network packets for executing device actions. However, it lacks proper input validation, allowing an unauthenticated remote attacker to send specially crafted packets. If successful, this could lead to arbitrary command execution with root-level privileges, thereby compromising the integrity and security of the affected systems.
Affected Version(s)
Storage Concentrator 0 < 8.0.4.29
Storage Concentrator Virtual Machine 0 < 8.0.4.29
Storage Concentrator 8.0.4.29
References
CVSS V4
Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
David Yesland of Rhino Security Labs reported this vulnerability to CISA.
