Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network request triggers shell injection (AV:N/AC:L/PR:N/UI:N); web-app flaw yields root on the host OS, a scope change (S:C) with full C/I/A loss.
Primary rating from Vendor (hq).
CVSS VectorVendor: hq
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level privileges on the underlying system.
AnalysisAI
Unauthenticated remote command injection in StoneFly Storage Concentrator (SC) and its virtual appliance variant (SCVM) lets remote attackers run arbitrary OS commands as root by sending a crafted HTTP request to the debug.pl script, which processes attacker input without sanitization. Rated CVSS 4.0 10.0 and reported through CISA ICS-CERT (advisory ICSA-26-181-06); no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network reachability to the Storage Concentrator HTTP management interface and the ability to send a request to the vulnerable debug.pl script; no authentication, credentials, or user interaction is needed (PR:N/UI:N), and default configurations are exploitable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to top-tier priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scanning for internet- or network-exposed StoneFly storage appliances sends a single crafted HTTP request to debug.pl with shell metacharacters embedded in a parameter; the script executes the payload, and the attacker gains a root shell on the storage controller. From there they exfiltrate or destroy stored volumes, pivot into the storage/OT network, or deploy persistence - all without any credentials, given the AV:N/AC:L/PR:N/UI:N profile. … |
| Remediation | Apply the StoneFly-provided fix for Storage Concentrator SC and SCVM as published in CISA ICS advisory ICSA-26-181-06 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06) and the CSAF advisory (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-06.json); an exact patched version was not present in the input data, so confirm the fixed release directly with StoneFly (https://stonefly.com/contact-us/) - do not deploy an assumed version number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all StoneFly SC and SCVM instances and immediately restrict network access to the debug.pl endpoint (typically port 80/443) using firewall rules or network segmentation; disable public internet exposure to storage systems. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40844
GHSA-p9rg-4wjx-jm87