Impact
The StoneFly Storage Concentrator (both the device and its virtual machine variant) contains an OS command‑injection flaw in the ms_service.pl script. This service listens on TCP port 9000 and accepts custom packets to control the device. An attacker who can reach the machine over the network can send a specially crafted packet containing shell commands. Because the payload is accepted without proper sanitization, the malicious commands execute with root privileges, allowing the attacker to fully compromise the system. The weakness corresponds to CWE‑78, an injection of operating system commands.
Affected Systems
Affected products are StoneFly Storage Concentrator and StoneFly Storage Concentrator Virtual Machine. StoneFly recommends that all installations be upgraded to version 8.0.4.29 or later to remove the vulnerability. No specific lower‑level affected releases are listed; however, any deployment running the ms_service.pl on port 9000 before the upgrade is potentially vulnerable.
Risk and Exploitability
The CVSS score of 10 reflects the critical nature of the vulnerability and its ability to provide unrestricted system access. The EPSS score of 3% indicates a low but non‑zero likelihood of exploitation, reinforcing the urgency of mitigation even if direct exploitation has not yet been observed. The flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog, yet the lack of any authentication requirement and the root‑level impact make it a prime target for attackers. Consequently, the advisement is that the vulnerability be addressed immediately, preferably by upgrading to the patched version while also restricting network access to the vulnerable port if a rapid patch is not feasible.
OpenCVE Enrichment