HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-56415Published Modified CNA icscert

CVE-2026-56415: OS Command Injection in StoneFly Storage Concentrator

Storage Concentrator (SC & SCVM) contains a command injection vulnerability within the debug.pl script that is reachable without authentication. A remote attacker can submit a specially crafted HTTP request containing a malicious payload that is processed without adequate input sanitization, resulting in arbitrary command execution with root-level privileges on the underlying system.

Metrics

CVSS v4.0
10.0
Severity
CRITICAL
Fixed in
8.0.4.22
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

OS command injection in StoneFly Storage Concentrator (SC and SCVM) allows a remote, unauthenticated attacker to execute arbitrary operating system commands with root-level privileges by sending a crafted HTTP request to the debug.pl script. The vulnerable endpoint performs no input sanitization and requires no authentication, making it reachable directly over the network. Successful exploitation gives the attacker full control of the underlying host. Patched-image rebuilds at versions 8.0.4.22 and 8.0.4.29 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-56415 is available across every HarborGuard environment; the CVE is ingested from upstream feeds (including ICS-CERT advisories) within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images derived from affected StoneFly base layers.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 10.0 (Critical) and weighting it against each customer environment's compliance policy to determine urgency and escalation path, routing findings to the appropriate team inbox within the customer organization.

Available
Patch

A patched-image rebuild at versions 8.0.4.22 or 8.0.4.29 becomes available on HarborGuard for any environment found running an affected version of Storage Concentrator or SCVM. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Storage Concentrator's HTTP service over the network; the vulnerable debug.pl endpoint is exposed on the network interface.

  • AuthenticationNot required

    No credentials or session token are needed; the vulnerable endpoint processes requests from any unauthenticated caller.

  • Victim interactionNot required

    The attacker submits a crafted HTTP request directly to the server; no user action or victim interaction is needed to trigger execution.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, memory layout assumptions, or environmental prerequisites are required.

Blast Radius

  • The attacker executes arbitrary OS commands as root, gaining complete control over the underlying host filesystem, processes, and configuration.
  • All data stored or accessible on the Storage Concentrator is readable, including stored credentials, encryption keys, and customer data volumes.
  • The attacker can modify or delete persisted storage data, disrupt replication, and corrupt volume metadata.
  • Downstream systems connected to the Storage Concentrator (SC: high confidentiality and integrity impact; SA: low availability impact on connected infrastructure) are reachable from the compromised host, expanding the attacker's foothold within the environment.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical-severity, zero-authentication RCE is active as soon as the CVE enters the ingestion pipeline, with matching against all images in connected registries including custom builds. For environments confirmed to be running an affected version of Storage Concentrator or SCVM (any release prior to 8.0.4.22), a rebuilt image at the patched version is made available. Where compliance policy permits, customers with auto-remediation enabled receive a full rebuild, a regression-test run, and an automatically opened PR targeting affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in those environments. Given the CVSS 10.0 score and unauthenticated network reachability, customers who cannot immediately apply the patch are advised to use HarborGuard network-policy controls to isolate the Storage Concentrator management interface from untrusted network segments, and to apply egress filtering rules to limit lateral movement from a potentially compromised host. HarborGuard will continue re-evaluating images against the advisory on every ingest cycle.

See how HarborGuard automates this

Fix available

8.0.4.228.0.4.29
Affected packages
  • Stonefly / Storage Concentrator
    < 8.0.4.22 (from 0)
    Fixed in 8.0.4.29
  • Stonefly / Storage Concentrator Virtual Machine
    < 8.0.4.22 (from 0)
    Fixed in 8.0.4.29
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L