CVE-2026-56413: OS Command Injection in StoneFly Storage Concentrator
Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted packet containing a malicious payload that is processed without adequate sanitization, resulting in arbitrary command execution with root-level privileges.
Metrics
- CVSS v4.0
- 10.0
- Severity
- CRITICAL
- Fixed in
- 8.0.4.29
- Affected Products
- 2
HarborGuard Analysis
Synopsis
OS command injection in StoneFly Storage Concentrator (SC and SCVM) allows an unauthenticated remote attacker to send a specially crafted packet to TCP port 9000, where the ms_service.pl service processes input without adequate sanitization. No credentials or victim interaction are required; the attacker sends the packet directly over the network. Successful exploitation gives the attacker arbitrary command execution with root-level privileges, enabling full system compromise. A patched-image rebuild at version 8.0.4.29 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-56413 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including ICS-CERT advisories, within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected StoneFly base layers.
AvailableHarborGuard is capable of scoring this finding at CVSS v4.0 10.0 (Critical) and weighting it against each environment's compliance policy to determine urgency and breach of policy thresholds. Triage routing is available to direct the alert to the appropriate team or inbox within each customer organization.
AvailableA patched-image rebuild pinned to StoneFly Storage Concentrator 8.0.4.29 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of performing a rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach TCP port 9000 on the target host over the network; any internet- or LAN-exposed instance is directly at risk.
- AuthenticationNot required
No credentials of any kind are required; the vulnerable ms_service.pl service accepts and processes packets from unauthenticated senders.
- Victim interactionNot required
The attacker sends a crafted packet directly to the service; no user action or social engineering is needed.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or knowledge of environment-specific memory layout.
Blast Radius
- Attacker executes arbitrary OS commands with root privileges, giving full control over the underlying host or virtual machine.
- Attacker reads all data stored on or accessible through the Storage Concentrator, including volumes, snapshots, and credentials held in memory or on disk.
- Attacker modifies or destroys stored data, alters device configuration, or pivots to connected storage network segments (SC: High / SI: High impact confirmed by CVSS vector).
- Attacker disrupts availability of the Storage Concentrator itself; downstream systems depending on attached storage volumes lose access.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-56413 activates as soon as the advisory is ingested, matching all images in connected registries against the affected StoneFly Storage Concentrator version range (any release before 8.0.4.29). Given the Critical severity and a CVSS v4.0 score of 10.0, this finding is eligible for expedited triage routing under any policy that prioritizes Critical-rated vulnerabilities. For customers who opt into auto-remediation, HarborGuard can rebuild the image at version 8.0.4.29, run a regression test pass, and open a pull request against affected workloads; for high- and critical-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with fix-version details so engineering teams can act manually. Because this service listens on a non-standard TCP port (9000), customers should also review network policy rules to confirm that port is not exposed beyond the intended management boundary while the upgrade is in progress.
Fix available
- StoneFly / Storage Concentrator< 8.0.4.29 (from 0)Fixed in 8.0.4.29
- StoneFly / Storage Concentrator Virtual Machine< 8.0.4.29 (from 0)Fixed in 8.0.4.29
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L