PT-2026-54437 · Stonefly · Storage Concentrator+1
David Yesland
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-56413
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted packet containing a malicious payload that is processed without adequate sanitization, resulting in arbitrary command execution with root-level privileges.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Storage Concentrator
Storage Concentrator Virtual Machine