Critical Vulnerabilities in StoneFly Storage Concentrators Expose Industrial Systems to Root-Level Attacks
A series of critical vulnerabilities, some boasting a CVSS v3 score of 10, have been discovered in **StoneFly Storage Concentrator** and **Storage Concentrator Virtual Machine** products. Successful exploitation of these flaws could grant attackers broad unauthorized access, root-level command execution, and the ability to steal sensitive data across interconnected systems globally. IT security professionals and privacy-conscious users are urged to review the advisories and implement mitigation strategies immediately.
# Critical Vulnerabilities in StoneFly Storage Concentrators Expose Industrial Systems to Root-Level Attacks
**StoneFly Storage Concentrator** and its virtual machine counterpart are facing a severe security alert as multiple critical vulnerabilities have been disclosed. These flaws, affecting various versions, present a significant risk to organizations across vital sectors globally, including Defense Industrial Base, Energy, Financial Services, Healthcare, and Information Technology.
## The Scope of the Threat
The identified vulnerabilities could allow threat actors to achieve extensive unauthorized access, execute arbitrary commands with root privileges, exfiltrate sensitive data, and perform actions on behalf of legitimate users. With CVSS v3 scores reaching 10 for some issues, the potential impact is profound.
Affected versions of **StoneFly Storage Concentrator** and **Storage Concentrator Virtual Machine** include:
* `<8.0.4.22` (**CVE-2026-56415**, **CVE-2026-55721**, **CVE-2026-50040**)
* `<8.0.4.26` (**CVE-2026-50110**)
* `<8.0.4.29` (**CVE-2026-56413**)
## Deep Dive into the Vulnerabilities
### Hard-coded Credentials (**CVE-2026-50110**)
This vulnerability stems from the presence of hard-coded credentials for numerous internal services within a configuration file in **StoneFly Storage Concentrator** (SC & SCVM) versions `<8.0.4.26`. While encoded, these credentials can be reversed to plaintext, exposing database accounts, licensing, replication services, and third-party integrations. This grants attackers unauthorized access to multiple interconnected systems.
### Command Injection (**CVE-2026-56413** and **CVE-2026-56415**)
Two command injection vulnerabilities have been identified:
* **CVE-2026-56413**: Affecting versions `<8.0.4.29`, this flaw resides in the `ms_service.pl` service, listening on TCP port 9000. An unauthenticated remote attacker can send a specially crafted packet to execute arbitrary commands with root privileges due to inadequate sanitization.
* **CVE-2026-56415**: In versions `<8.0.4.22`, a command injection vulnerability exists in the `debug.pl` script, reachable without authentication. Malicious HTTP requests containing payloads can lead to arbitrary command execution with root privileges on the underlying system.
### SQL Injection (**CVE-2026-55721**)
Versions `<8.0.4.22` are susceptible to SQL injection through cookie values processed by the `login.pl` and `debug.pl` scripts. An unauthenticated remote attacker can manipulate database queries to extract sensitive information, including session tokens, password hashes, and secret keys, due to insufficient sanitization.
### Cross-site Scripting (XSS) (**CVE-2026-50040**)
Also affecting versions `<8.0.4.22`, a reflected cross-site scripting (XSS) vulnerability exists due to unsanitized content being echoed in 404 error pages. An attacker can craft a malicious URL that, when visited by an authenticated user, executes arbitrary script content within the victim's browser session, potentially leading to session hijacking or unauthorized actions.
## Acknowledgments and Recommendations
These vulnerabilities were reported to **CISA** by **David Yesland** of **Rhino Security Labs**. **CISA** strongly recommends that users take immediate defensive measures to minimize the risk of exploitation.
Key recommendations include:
* **Minimize Network Exposure**: Ensure all control system devices and systems are not accessible from the internet.
* **Network Segmentation**: Locate control system networks and remote devices behind firewalls and isolate them from business networks.
* **Secure Remote Access**: When remote access is necessary, utilize secure methods like Virtual Private Networks (VPNs), ensuring VPNs are updated to the latest versions. Recognize that VPNs are only as secure as the connected devices.
* **Impact Analysis**: Conduct proper impact analysis and risk assessment before deploying defensive measures.
* **Proactive Defense**: Implement recommended cybersecurity strategies for proactive defense of ICS assets, as detailed in **CISA**'s ICS webpage.
* **Report Malicious Activity**: Organizations observing suspected malicious activity should follow established internal procedures and report findings to **CISA**.
* **Social Engineering Awareness**: Educate users on avoiding social engineering attacks, such as not clicking web links or opening attachments in unsolicited email messages.
These vulnerabilities pose a significant threat to critical infrastructure and data integrity. Prompt action and adherence to recommended security practices are crucial to mitigate potential risks.