Skip to main content

Storage Concentrator CVE-2026-56415

| EUVDEUVD-2026-40844 CRITICAL
OS Command Injection (CWE-78)
2026-06-30 ics-cert@hq.dhs.gov GHSA-p9rg-4wjx-jm87
10.0
CVSS 4.0 · Vendor: hq
Share

Severity by source

Vendor (hq) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
10.0 CRITICAL

Unauthenticated network request triggers shell injection (AV:N/AC:L/PR:N/UI:N); web-app flaw yields root on the host OS, a scope change (S:C) with full C/I/A loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L

Primary rating from Vendor (hq).

CVSS VectorVendor: hq

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 02:16 EUVD
Analysis Generated
Jun 30, 2026 - 23:32 vuln.today

DescriptionCVE.org

Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level privileges on the underlying system.

AnalysisAI

Unauthenticated remote command injection in StoneFly Storage Concentrator (SC) and its virtual appliance variant (SCVM) lets remote attackers run arbitrary OS commands as root by sending a crafted HTTP request to the debug.pl script, which processes attacker input without sanitization. Rated CVSS 4.0 10.0 and reported through CISA ICS-CERT (advisory ICSA-26-181-06); no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach SC/SCVM web management interface
Delivery
Send crafted HTTP request to debug.pl
Exploit
Inject shell metacharacters into unsanitized parameter
Execution
Command executed as root
Impact
Full appliance compromise and data access

Vulnerability AssessmentAI

Exploitation Exploitation requires only network reachability to the Storage Concentrator HTTP management interface and the ability to send a request to the vulnerable debug.pl script; no authentication, credentials, or user interaction is needed (PR:N/UI:N), and default configurations are exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to top-tier priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scanning for internet- or network-exposed StoneFly storage appliances sends a single crafted HTTP request to debug.pl with shell metacharacters embedded in a parameter; the script executes the payload, and the attacker gains a root shell on the storage controller. From there they exfiltrate or destroy stored volumes, pivot into the storage/OT network, or deploy persistence - all without any credentials, given the AV:N/AC:L/PR:N/UI:N profile. …
Remediation Apply the StoneFly-provided fix for Storage Concentrator SC and SCVM as published in CISA ICS advisory ICSA-26-181-06 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06) and the CSAF advisory (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-06.json); an exact patched version was not present in the input data, so confirm the fixed release directly with StoneFly (https://stonefly.com/contact-us/) - do not deploy an assumed version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all StoneFly SC and SCVM instances and immediately restrict network access to the debug.pl endpoint (typically port 80/443) using firewall rules or network segmentation; disable public internet exposure to storage systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56415 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy