Command Injection Vulnerability in Storage Concentrator by Stonefly
CVE-2026-56415
10CRITICAL
What is CVE-2026-56415?
The Storage Concentrator and Storage Concentrator Virtual Machine by Stonefly contain a command injection flaw within the debug.pl script. This vulnerability is accessible without authentication, allowing remote attackers to send malicious HTTP requests that are improperly processed due to insufficient input sanitization. This oversight can lead to arbitrary command execution with root-level privileges, posing a significant risk to the integrity and security of the system.
Affected Version(s)
Storage Concentrator 0 < 8.0.4.22
Storage Concentrator Virtual Machine 0 < 8.0.4.22
Storage Concentrator 8.0.4.29
References
CVSS V4
Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
David Yesland of Rhino Security Labs reported this vulnerability to CISA.
