Impact
The StoneFly Storage Concentrator and its virtual machine contain an OS command injection flaw in the debug.pl script. The vulnerability is reachable without authentication; a remote attacker can send a specially crafted HTTP request that is processed without proper input sanitization, leading to arbitrary command execution with root privileges on the underlying operating system. This gives full control over the appliance, allowing the attacker to install malware, exfiltrate data, or disrupt services. The weakness is identified as CWE‑78.
Affected Systems
Both the StoneFly Storage Concentrator hardware appliance and the Storage Concentrator Virtual Machine are affected. The issue exists in all versions released before the vendor‑recommended fix in version 8.0.4.29. No other version specifics are listed in the advisory.
Risk and Exploitability
The CVSS score of 10 indicates a critical risk level. No authentication is required and the flaw can be triggered with a single HTTP request, so the attack vector is remote, unauthenticated, and highly attackable. The EPSS score is 3%, but the lack of authentication and the high CVSS suggest that attackers are likely to exploit this vulnerability. The vulnerability is not listed in the CISA KEV catalog.
OpenCVE Enrichment