StoneFly Storage Concentrator Flaws Expose Root RCE and Data Theft
CISA's June 30 advisory for StoneFly Storage Concentrator flags hard-coded credentials, command injection, SQL injection, and XSS with root-level impact across SC and SCVM.
Published
Jul 01, 2026Duration
4 min readRisk Level
CriticalIntel Tags
Why it matters
StoneFly’s advisory matters because a storage platform that sits close to backups, replication, and shared data can turn a single flaw into broad compromise. CISA rates the advisory critical, and the highest-severity issues can lead to unauthenticated root command execution or credential abuse on affected Storage Concentrator and SCVM deployments. In practical terms, that means an exposed appliance could become a direct path to sensitive data, administrative control, and lateral movement in networks that rely on it for file or storage services.
What happened
On June 30, 2026, CISA published ICSA-26-181-06 for StoneFly Storage Concentrator and StoneFly Storage Concentrator Virtual Machine. The advisory groups five CVEs and says successful exploitation could allow attackers to gain broad unauthorized access, execute arbitrary commands with root privileges, steal sensitive data, and perform actions on behalf of legitimate users across interconnected systems. The affected versions span multiple release lines, with different CVEs fixed by different firmware thresholds.
Technical details
CISA maps CVE-2026-56413 to an OS command injection issue in ms_service.pl, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. CISA maps CVE-2026-56415 to an unauthenticated command injection flaw in debug.pl that can be reached through a crafted HTTP request. CVE-2026-50110 covers hard-coded credentials embedded in a configuration file, while CVE-2026-55721 and CVE-2026-50040 cover SQL injection and reflected cross-site scripting. The advisory lists impacted builds below 8.0.4.22, 8.0.4.26, and 8.0.4.29 depending on the specific issue, and recommends upgrading to 8.0.4.29 or later.
Defender actions
Treat StoneFly Storage Concentrator and SCVM as urgent patch candidates. Upgrade to 8.0.4.29 or later, restrict management access to trusted networks, and review logs for unexpected requests involving ms_service.pl and debug.pl. Rotate any credentials that may have been embedded in configuration files, audit for unauthorized administrative actions or suspicious data access, and isolate any appliance that cannot be patched immediately behind VPN or strong network segmentation. Monitor for unusual outbound connections and unexpected service behavior until remediation is complete.