Description
Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of internal services, including database accounts, licensing, replication services, and third-party integrations, meaning successful exploitation of this vulnerability could provide an attacker with unauthorized access to multiple interconnected systems.
Published: 2026-06-30
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the presence of hard‑coded credentials for a wide array of internal services embedded in a configuration file on StoneFly Storage Concentrator (SC) and its virtual machine counterpart (SCVM). The credentials are stored in an encoded format that can be readily reversed to plaintext, exposing database accounts, licensing keys, replication service credentials, and third‑party integration credentials. An attacker who obtains these credentials can gain privileged access to multiple interconnected subsystems, compromising confidentiality and potentially integrity and availability throughout the storage environment.

Affected Systems

StoneFly Storage Concentrator and StoneFly Storage Concentrator Virtual Machine running any version released before 8.0.4.29 contain the vulnerable configuration file. Upgrading to version 8.0.4.29 or later is required to remove the embedded hard‑coded credentials.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity; the EPSS score is not available, leaving the exact exploitation likelihood uncertain. Based on the description, the likely attack vectors are local actors with file system access, remote privileged users who can read the configuration file, or exploitation of exposed management interfaces that expose configuration data. The vulnerability is not currently listed in the CISA KEV catalog, which suggests no confirmed exploitation reports, but the potential for broad system compromise warrants immediate action.

Generated by OpenCVE AI on July 1, 2026 at 13:17 UTC.

Remediation

Vendor Solution

StoneFly recommends that users upgrade to Storage Concentrator version 8.0.4.29 or later to remediate these vulnerabilities.


OpenCVE Recommended Actions

  • Upgrade StoneFly Storage Concentrator to version 8.0.4.29 or later
  • If an upgrade is not immediately possible, change all internal service credentials to unique, strong passwords and update the configuration files accordingly
  • Restrict file system permissions on the configuration file so that only authorized administrative accounts can read it

Generated by OpenCVE AI on July 1, 2026 at 13:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of internal services, including database accounts, licensing, replication services, and third-party integrations, meaning successful exploitation of this vulnerability could provide an attacker with unauthorized access to multiple interconnected systems.
Title Use of Hard-coded Credentials in StoneFly Storage Concentrator
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 9.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-07-01T12:40:24.035Z

Reserved: 2026-06-22T20:13:36.505Z

Link: CVE-2026-50110

cve-icon Vulnrichment

Updated: 2026-07-01T12:40:19.599Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T13:30:15Z

Weaknesses
  • CWE-798

    Use of Hard-coded Credentials