CVE-2026-50110

Summary

Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of internal services, including database accounts, licensing, replication services, and third-party integrations, meaning successful exploitation of this vulnerability could provide an attacker with unauthorized access to multiple interconnected systems.

Affected Software

VendorProductVersion RangeStatus
StoneFlyStorage Concentrator0 < 8.0.4.26affected
StoneFlyStorage Concentrator8.0.4.29unaffected
StoneFlyStorage Concentrator Virtual Machine0 < 8.0.4.26affected
StoneFlyStorage Concentrator Virtual Machine8.0.4.29unaffected

Weaknesses

  • CWE-798: CWE-798 Use of Hard-coded Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References