CVE-2026-56413
CRITICALOS Command Injection in StoneFly Storage Concentrator
Title source: cnaDescription
Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted packet containing a malicious payload that is processed without adequate sanitization, resulting in arbitrary command execution with root-level privileges.
Scores
CVSS v3
10.0
EPSS
0.0308
EPSS Percentile
86.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (4)
StoneFly/Storage Concentrator
< 8.0.4.29
StoneFly/Storage Concentrator
8.0.4.29
StoneFly/Storage Concentrator Virtual Machine
< 8.0.4.29
StoneFly/Storage Concentrator Virtual Machine
8.0.4.29
Published
Jun 30, 2026
Tracked Since
Jul 01, 2026