Impact
The vulnerability resides in the StoneFly Storage Concentrator (both hardware and virtual machine editions). The login.pl and debug.pl scripts incorporate cookie values directly into SQL queries without adequate sanitization. This flaw permits an unauthenticated remote attacker to inject arbitrary SQL, enabling extraction of sensitive data such as session tokens, password hashes, and stored secret keys. The weakness is categorized as CWE‑89, a classic SQL injection vulnerability.
Affected Systems
Affected products are StoneFly Storage Concentrator and StoneFly Storage Concentrator Virtual Machine. The CVE does not enumerate specific firmware revisions, so users should confirm whether their current version contains the flaw. StoneFly recommends upgrading to version 8.0.4.29 or later to eliminate the vulnerable code paths.
Risk and Exploitability
The CVSS score of 9.2 denotes a high‑severity issue. EPSS information is unavailable, but the lack of KEV listing does not reduce the inherent risk. Because the flaw can be triggered from any external system that can set cookies on the web interface, an attacker can remotely execute the injection and exfiltrate confidential data without needing prior authentication. The vulnerability relies on unauthenticated access to the login and debug scripts, making it relatively easy to exploit in exposed or poorly protected environments.
OpenCVE Enrichment