CVE-2026-55721
9.2
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
Summary
Storage Concentrator (SC & SCVM) is vulnerable to SQL injection through cookie values processed by the login.pl and debug.pl scripts. The cookie value is incorporated directly into database queries without adequate sanitization, allowing an unauthenticated remote attacker to manipulate those queries and extract sensitive information from the underlying database, including session tokens, password hashes, and stored secret keys.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| StoneFly | Storage Concentrator | 0 < 8.0.4.22 | affected |
| StoneFly | Storage Concentrator | 8.0.4.29 | unaffected |
| StoneFly | Storage Concentrator Virtual Machine | 0 < 8.0.4.22 | affected |
| StoneFly | Storage Concentrator Virtual Machine | 8.0.4.29 | unaffected |
Weaknesses
- CWE-89: CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-06
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-181-06.json
- https://stonefly.com/contact-us/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.