HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-50110Published Modified CNA icscert

CVE-2026-50110: Use of Hard-coded Credentials in StoneFly Storage Concentrator

Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of internal services, including database accounts, licensing, replication services, and third-party integrations, meaning successful exploitation of this vulnerability could provide an attacker with unauthorized access to multiple interconnected systems.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
8.0.4.26
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Use of hard-coded credentials in StoneFly Storage Concentrator (SC and SCVM) allows an attacker who can read the embedded configuration file to recover plaintext credentials for a wide range of internal services. The CVSS vector indicates local access is required with no authentication or user interaction needed, meaning an attacker already on the host can extract and decode the credentials without any privilege barrier. Successful exploitation grants unauthorized access to database accounts, licensing services, replication services, and third-party integrations, enabling both data theft and tampering across interconnected systems. Patched-image rebuilds at versions 8.0.4.26 and 8.0.4.29 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-50110 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including ICS-CERT, covering both vendor-supplied and custom-built Storage Concentrator images. Any image layer carrying an affected version of the SC or SCVM package is flagged automatically as it enters the registry or CI/CD pipeline.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 9.3 (Critical) and applies per-environment compliance policy weighting to prioritize it appropriately within each customer org. Triage routing is available to direct the alert to the team responsible for storage infrastructure or ICS workloads, depending on how inbox rules are configured.

Available
Patch

A patched-image rebuild at versions 8.0.4.26 and 8.0.4.29 is available on HarborGuard for any environment found running an affected image. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityNot required

    The attack vector is local (AV:L), so the attacker needs an existing shell or process on the host to read the configuration file.

  • AuthenticationNot required

    No privileges are required (PR:N), meaning any process or user that can access the filesystem can retrieve the encoded credentials without authenticating first.

  • Victim interactionNot required

    No user interaction is required (UI:N); the attacker can extract and decode the credentials entirely on their own.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is straightforward and condition-free once local access is established.

Blast Radius

  • Reads plaintext database credentials recovered from the configuration file, exposing stored records across all connected database accounts.
  • Modifies or corrupts replicated data by leveraging recovered replication-service credentials across interconnected storage nodes.
  • Accesses third-party integration accounts and licensing services using the extracted credentials, extending the breach beyond the local host.
  • Causes limited disruption to the storage service itself (VA:L), but achieves high-impact compromise of both the local system and connected upstream systems (SC:H, SI:H).

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication, matching all images in customer registries and pipelines against the affected version range for both SC and SCVM. For environments with auto-remediation enabled, HarborGuard rebuilds the image at version 8.0.4.26 or 8.0.4.29, runs a regression test, and opens a PR against affected workloads. The median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy or change-control requirements prevent auto-remediation, HarborGuard flags the finding for manual review and routes it to the configured storage or ICS team inbox. As a compensating control while a rebuild is being approved, network-policy isolation of the affected Storage Concentrator host limits the window in which an attacker with local access can pivot to connected services using the recovered credentials.

See how HarborGuard automates this

Fix available

8.0.4.268.0.4.29
Affected packages
  • StoneFly / Storage Concentrator
    < 8.0.4.26 (from 0)
    Fixed in 8.0.4.29
  • StoneFly / Storage Concentrator Virtual Machine
    < 8.0.4.26 (from 0)
    Fixed in 8.0.4.29
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L