Command Injection Vulnerability in Storage Concentrator by Stonefly
CVE-2026-56415

10CRITICAL

What is CVE-2026-56415?

The Storage Concentrator and Storage Concentrator Virtual Machine by Stonefly contain a command injection flaw within the debug.pl script. This vulnerability is accessible without authentication, allowing remote attackers to send malicious HTTP requests that are improperly processed due to insufficient input sanitization. This oversight can lead to arbitrary command execution with root-level privileges, posing a significant risk to the integrity and security of the system.

Affected Version(s)

Storage Concentrator 0 < 8.0.4.22

Storage Concentrator Virtual Machine 0 < 8.0.4.22

Storage Concentrator 8.0.4.29

References

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

David Yesland of Rhino Security Labs reported this vulnerability to CISA.
.