StoneFly Security Advisory

Advisory ID: STONEFLY-SA-2026-001

Related Advisory: CISA ICSA-26-181-06

Severity: Critical (multiple vulnerabilities)

Summary

StoneFly has released security updates for multiple vulnerabilities affecting Storage Concentrator and Storage Concentrator Virtual Machine (SCVM). The issues identified include OS command injection, SQL injection, use of hard-coded credentials, and reflected cross-site scripting (XSS). Customers using affected versions should upgrade to the latest fixed release referenced in this advisory.

Overview

This advisory summarizes the vulnerabilities described in CISA ICS Advisory ICSA-26-181-06. The vulnerabilities were reported through coordinated vulnerability disclosure and affect management components of Storage Concentrator and SCVM. This document is intended to help customers identify affected systems and apply the recommended remediation.

Affected Products

Product Affected Versions
Storage Concentrator Versions earlier than 8.0.4.22, 8.0.4.26, or 8.0.4.29 depending on the vulnerability.
Storage Concentrator Virtual Machine (SCVM) Versions earlier than 8.0.4.22, 8.0.4.26, or 8.0.4.29 depending on the vulnerability.

Vulnerability Summary

CVE Type CVSS v3.1 Summary
CVE-2026-56413 OS Command Injection 10.0 Unauthenticated command injection in a management service may allow arbitrary command execution with elevated privileges.
CVE-2026-56415 OS Command Injection 10.0 Command injection in a debugging component may permit arbitrary operating system command execution.
CVE-2026-55721 SQL Injection 9.3 Improper input validation may allow unauthenticated SQL injection and exposure of sensitive information.
CVE-2026-50110 Hard-coded Credentials 9.2 Embedded credentials in internal components could enable unauthorized access if recovered.
CVE-2026-50040 Reflected Cross-Site Scripting Medium Improper handling of user input on error pages may allow reflected XSS.

Potential Impact

Depending on the vulnerability, successful exploitation could allow remote command execution, disclosure of sensitive information, unauthorized access using recovered credentials, or execution of client-side scripts in an authenticated user’s browser.

Resolution

StoneFly recommends upgrading affected deployments to Storage Concentrator version 8.0.4.29 or later. Customers should verify that all systems have been updated and confirm successful installation after maintenance.

Mitigations

Until updates can be applied, restrict administrative interfaces to trusted networks, limit external exposure of management services, monitor for suspicious activity, and follow organizational security best practices. These measures reduce exposure but do not replace installing the security update.

Acknowledgements

StoneFly acknowledges David Yesland of Rhino Security Labs for responsibly reporting the vulnerabilities.

References

  • CISA ICS Advisory ICSA-26-181-06
  • https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06