Description
Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level privileges on the underlying system.
Published: 2026-06-30
Score: 10 Critical
EPSS: 3.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The StoneFly Storage Concentrator and its virtual machine contain an OS command injection flaw in the debug.pl script. The vulnerability is reachable without authentication; a remote attacker can send a specially crafted HTTP request that is processed without proper input sanitization, leading to arbitrary command execution with root privileges on the underlying operating system. This gives full control over the appliance, allowing the attacker to install malware, exfiltrate data, or disrupt services. The weakness is identified as CWE‑78.

Affected Systems

Both the StoneFly Storage Concentrator hardware appliance and the Storage Concentrator Virtual Machine are affected. The issue exists in all versions released before the vendor‑recommended fix in version 8.0.4.29. No other version specifics are listed in the advisory.

Risk and Exploitability

The CVSS score of 10 indicates a critical risk level. No authentication is required and the flaw can be triggered with a single HTTP request, so the attack vector is remote, unauthenticated, and highly attackable. The EPSS score is 3%, but the lack of authentication and the high CVSS suggest that attackers are likely to exploit this vulnerability. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on July 1, 2026 at 15:13 UTC.

Remediation

Vendor Solution

StoneFly recommends that users upgrade to Storage Concentrator version 8.0.4.29 or later to remediate these vulnerabilities.


OpenCVE Recommended Actions

  • Upgrade the Storage Concentrator hardware appliance and its virtual machine to version 8.0.4.29 or later.
  • Disable or delete the debug.pl script from the system to eliminate the attack surface.
  • If an upgrade cannot be performed immediately, block or filter network traffic to the debug.pl URL using a firewall or access control list to prevent unauthenticated requests.

Generated by OpenCVE AI on July 1, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Description Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level privileges on the underlying system.
Title OS Command Injection in StoneFly Storage Concentrator
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-07-01T12:42:03.699Z

Reserved: 2026-06-22T20:13:36.516Z

Link: CVE-2026-56415

cve-icon Vulnrichment

Updated: 2026-07-01T12:41:58.554Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T15:15:04Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')