Impact
The vulnerability stems from the presence of hard‑coded credentials for a wide array of internal services embedded in a configuration file on StoneFly Storage Concentrator (SC) and its virtual machine counterpart (SCVM). The credentials are stored in an encoded format that can be readily reversed to plaintext, exposing database accounts, licensing keys, replication service credentials, and third‑party integration credentials. An attacker who obtains these credentials can gain privileged access to multiple interconnected subsystems, compromising confidentiality and potentially integrity and availability throughout the storage environment.
Affected Systems
StoneFly Storage Concentrator and StoneFly Storage Concentrator Virtual Machine running any version released before 8.0.4.29 contain the vulnerable configuration file. Upgrading to version 8.0.4.29 or later is required to remove the embedded hard‑coded credentials.
Risk and Exploitability
The CVSS score of 9.3 indicates critical severity; the EPSS score is not available, leaving the exact exploitation likelihood uncertain. Based on the description, the likely attack vectors are local actors with file system access, remote privileged users who can read the configuration file, or exploitation of exposed management interfaces that expose configuration data. The vulnerability is not currently listed in the CISA KEV catalog, which suggests no confirmed exploitation reports, but the potential for broad system compromise warrants immediate action.
OpenCVE Enrichment