CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

StoneFly Storage Concentrator

criticalCVE-2026-56415CVE-2026-55721CVE-2026-50040CVE-2026-50110CVE-2026-56413
View CSAF Summary Successful exploitation of these vulnerabilities could allow attackers to gain broad unauthorized access, execute arbitrary commands with root privileges, steal sensitive data, and perform actions on behalf of legitimate users across interconnected systems. The following versions of StoneFly Storage Concentrator are affected: Storage Concentrator <8.0.4.22 (CVE-2026-56415, CVE-2026-55721, CVE-2026-50040) Storage Concentrator Virtual Machine <8.0.4.22 (CVE-2026-56415, CVE-2026-55721, CVE-2026-50040) Storage Concentrator <8.0.4.26 (CVE-2026-50110) Storage Concentrator Virtual Machine <8.0.4.26 (CVE-2026-50110) Storage Concentrator <8.0.4.29 (CVE-2026-56413) Storage Concentrator Virtual Machine <8.0.4.29 (CVE-2026-56413) CVSS Vendor Equipment Vulnerabilities v3 10 StoneFly StoneFly Storage Concentrator Use of Hard-coded Credentials, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Background Critical Infrastructure Sectors: Defense Industrial Base, Energy, Financial Services, Healthcare and Public Health, Information Technology Countries/Areas Deployed: Worldwide Company Headquarters Location: United States Vulnerabilities Expand All + CVE-2026-50110 Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of internal services, including database accounts, licensing, replication services, and third-party integrations, meaning successful exploitation of this vulnerability could provide an attacker with unauthorized access to multiple interconnected systems. View CVE Details Affected Products StoneFly Storage Concentrator Vendor:

CSIRTS triage

vendor: StoneFlyproduct: Storage ConcentratorRemote code executionOtheraffected: <8.0.4.22 for Storage Concentrator and Virtual Machine, <8.0.4.26, <8.0.4.29
What
Exploitation could allow unauthorized access and execution of arbitrary commands with root privileges.
Who is affected
Users of Storage Concentrator and Virtual Machine with affected versions.
Urgency
Remediation is critical due to the severity of the vulnerabilities.
Action
Update to versions above the specified limits.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Storage Concentrator

Get an email when a new Storage Concentrator advisory drops — max one per day, one-click unsubscribe.

Details

Source
CISA Cybersecurity Advisories (US · national-cert · site)
Severity
critical
Published
2026-06-30
Exploitation
Not in CISA KEV at last sync

Original advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-56415coverage & exploitation statusNVD · CVE.org
CVE-2026-55721coverage & exploitation statusNVD · CVE.org
CVE-2026-50040coverage & exploitation statusNVD · CVE.org
CVE-2026-50110coverage & exploitation statusNVD · CVE.org
CVE-2026-56413coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from CISA Cybersecurity Advisories