Skip to main content

Storage Concentrator EUVDEUVD-2026-40845

| CVE-2026-56413 CRITICAL
OS Command Injection (CWE-78)
2026-06-30 ics-cert@hq.dhs.gov GHSA-h267-8j5j-27gj
10.0
CVSS 4.0 · Vendor: hq
Share

Severity by source

Vendor (hq) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.8 CRITICAL

Remote default-listening service with no auth or interaction gives AV:N/AC:L/PR:N/UI:N; root command execution yields full C:H/I:H/A:H, scope unchanged as impact stays on the appliance OS.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L

Primary rating from Vendor (hq).

CVSS VectorVendor: hq

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 02:16 EUVD
Analysis Generated
Jun 30, 2026 - 23:31 vuln.today

DescriptionCVE.org

Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted packet containing a malicious payload that is processed without adequate sanitization, resulting in arbitrary command execution with root-level privileges.

AnalysisAI

Unauthenticated remote code execution in StoneFly Storage Concentrator (SC) and its virtual appliance variant (SCVM) lets attackers run arbitrary commands as root by sending a crafted packet to the ms_service.pl listener on TCP port 9000. The flaw was reported through CISA ICS-CERT (advisory ICSA-26-181-06) and carries the maximum CVSS 4.0 base score of 10.0; no public exploit has been identified at time of analysis, but the combination of network reachability, zero authentication, and root-level impact makes this a top-priority issue for any exposed device.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach appliance on TCP port 9000
Delivery
Send crafted malicious packet
Exploit
ms_service.pl processes payload unsanitized
Execution
Inject OS command via CWE-78
Persist
Execute arbitrary command as root
Impact
Full appliance compromise and data access

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the ms_service.pl service on TCP port 9000, which listens by default - so a default-configured SC/SCVM appliance is exploitable out of the box with no authentication, no credentials, and no user interaction (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to genuine, high-priority risk rather than a paper-tiger high score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the appliance over the network sends a single specially crafted packet to TCP port 9000, embedding shell metacharacters in the payload that ms_service.pl passes unsanitized to a system command. The injected command executes as root, giving the attacker full control of the storage appliance - to exfiltrate or destroy stored data, pivot into the OT/storage network, or establish persistence. …
Remediation No vendor-released patch version was identified in the available data; refer to CISA ICS advisory ICSA-26-181-06 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06) and the CSAF JSON (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-06.json) for the official fixed release and contact StoneFly (https://stonefly.com/contact-us/) to obtain it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Immediately isolate all StoneFly SC and SCVM appliances from untrusted networks; block TCP 9000 access via firewall rules to permit only trusted administrative networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40845 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy