PT-2026-54437 · Stonefly · Storage Concentrator+1

David Yesland

·

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-56413

CVSS v3.1

10

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted packet containing a malicious payload that is processed without adequate sanitization, resulting in arbitrary command execution with root-level privileges.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56413

Affected Products

Storage Concentrator
Storage Concentrator Virtual Machine