Critical RCE, SQL‑Injection and XSS Flaws in StoneFly Storage Concentrator (CVE‑2026‑56415, CVE‑2026‑55721, CVE‑2026‑50040, CVE‑2026‑50110, CVE‑2026‑56413)
What It Is — CISA has identified five new CVEs affecting StoneFly Storage Concentrator (both physical and virtual appliances). The flaws include hard‑coded credentials, OS‑command injection, SQL injection and cross‑site scripting, each rated CVSS v3 10.0.
Exploitability — Public advisories indicate that the vulnerabilities are exploitable without authentication; successful exploitation grants attackers root‑level command execution, data exfiltration and the ability to act as legitimate users across connected systems. No public PoC is required beyond sending crafted requests.
Affected Products — StoneFly Storage Concentrator < 8.0.4.22, < 8.0.4.26 and < 8.0.4.29 (both hardware and virtual‑machine deployments).
Why It Matters for Compliance & Audit Readiness
- SOC 2 Control CC6.1 (System Operations) requires documented, continuously monitored protection against unauthorized system access; these flaws demonstrate a gap that must be evidenced as closed.
- Control CC7.1 (Change Management) obligates organizations to track and verify patch deployment; failure to apply the vendor’s fixes can be cited as a control deficiency during audits.
- Continuous‑compliance programs need real‑time evidence that critical infrastructure components are patched and that remediation steps are logged in an immutable audit trail—exactly the data Verisq’s Control Mapping capability can capture.
Recommended Actions
- Inventory all StoneFly Storage Concentrator instances and verify version numbers.
- Apply the vendor‑provided patches for CVE‑2026‑56415, 55721, 50040, 50110 and 56413 immediately.
- Map the remediation to SOC 2 CC6.1 and CC7.1, capturing patch‑install logs, configuration snapshots, and post‑patch validation as audit evidence.
- Integrate the patched systems into your continuous‑monitoring pipeline to detect any re‑emergence of the vulnerable code paths.
- Update your incident‑response playbooks to include these specific CVEs and the associated containment steps.
Source: CISA Advisory – StoneFly Storage Concentrator Vulnerabilities