StoneFly Storage Concentrator
Summary
CISA has alerted users to multiple critical vulnerabilities in StoneFly Storage Concentrator versions prior to 8.0.4.22, 8.0.4.26, and 8.0.4.29. Successful exploitation could lead to broad unauthorized access, command execution with root privileges, data theft, and impersonation. The vulnerabilities include hard-coded credentials, OS command injection, SQL injection, and cross-site scripting.
IFF Assessment
These vulnerabilities allow attackers to gain broad unauthorized access and execute commands with root privileges, posing a significant threat to defenders.
Severity
The article mentions a CVSS v3.1 score of 10.0 for the StoneFly Storage Concentrator, indicating a critical severity level due to the potential for widespread unauthorized access and command execution.
Defender Context
Defenders should prioritize patching or mitigating StoneFly Storage Concentrator devices with affected versions to prevent attackers from gaining deep access and control. The presence of hard-coded credentials and injection vulnerabilities highlights the importance of secure coding practices and regular credential rotation for critical infrastructure components.