Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote default-listening service with no auth or interaction gives AV:N/AC:L/PR:N/UI:N; root command execution yields full C:H/I:H/A:H, scope unchanged as impact stays on the appliance OS.
Primary rating from Vendor (hq).
CVSS VectorVendor: hq
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted packet containing a malicious payload that is processed without adequate sanitization, resulting in arbitrary command execution with root-level privileges.
AnalysisAI
Unauthenticated remote code execution in StoneFly Storage Concentrator (SC) and its virtual appliance variant (SCVM) lets attackers run arbitrary commands as root by sending a crafted packet to the ms_service.pl listener on TCP port 9000. The flaw was reported through CISA ICS-CERT (advisory ICSA-26-181-06) and carries the maximum CVSS 4.0 base score of 10.0; no public exploit has been identified at time of analysis, but the combination of network reachability, zero authentication, and root-level impact makes this a top-priority issue for any exposed device.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the ms_service.pl service on TCP port 9000, which listens by default - so a default-configured SC/SCVM appliance is exploitable out of the box with no authentication, no credentials, and no user interaction (PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to genuine, high-priority risk rather than a paper-tiger high score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the appliance over the network sends a single specially crafted packet to TCP port 9000, embedding shell metacharacters in the payload that ms_service.pl passes unsanitized to a system command. The injected command executes as root, giving the attacker full control of the storage appliance - to exfiltrate or destroy stored data, pivot into the OT/storage network, or establish persistence. … |
| Remediation | No vendor-released patch version was identified in the available data; refer to CISA ICS advisory ICSA-26-181-06 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06) and the CSAF JSON (https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-06.json) for the official fixed release and contact StoneFly (https://stonefly.com/contact-us/) to obtain it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Immediately isolate all StoneFly SC and SCVM appliances from untrusted networks; block TCP 9000 access via firewall rules to permit only trusted administrative networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40845
GHSA-h267-8j5j-27gj