CVE-2026-56413
StoneFly · Storage Concentrator
StoneFly Storage Concentrator is vulnerable to unauthenticated remote command injection via the ms_service.pl service, allowing root-level arbitrary code execution.
Executive summary
A critical command injection vulnerability in StoneFly Storage Concentrator allows unauthenticated remote attackers to execute arbitrary code with root privileges.
Vulnerability
This is a command injection vulnerability located in the ms_service.pl service (TCP port 9000), where improper sanitization of network packets allows an unauthenticated remote attacker to execute system commands as root.
Business impact
The vulnerability carries a CVSS score of 10.0, indicating the highest possible severity. Successful exploitation results in a complete compromise of the storage appliance, potentially leading to unauthorized data access, total system disruption, and the establishment of persistent backdoors within the storage infrastructure.
Remediation
Immediate Action: Apply the latest firmware or software update provided by StoneFly immediately to address the command injection flaw in ms_service.pl.
Proactive Monitoring: Monitor network traffic directed at TCP port 9000 for unusual packet structures or patterns indicative of injection attempts.
Compensating Controls: Implement strict network segmentation and firewall rules to restrict access to the affected service to trusted management IP addresses only.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the critical severity and the ease of exploitation via unauthenticated network access, this vulnerability presents an immediate and severe risk to the confidentiality, integrity, and availability of storage assets. Administrators must prioritize the application of vendor-supplied patches as soon as they become available.