← All Advisories

Critical Command Injection Vulnerability in Storage Concentrator (CVE-2026-56415)

A critical command injection vulnerability (CVE-2026-56415) in Storage Concentrator (SC & SCVM) allows unauthenticated attackers to execute arbitrary commands with root privileges via a crafted HTTP request. CVSS score: 10.0.

A critical command injection vulnerability has been identified in the debug.pl script of Storage Concentrator (SC & SCVM) appliances. This flaw, tracked as CVE-2026-56415, permits unauthenticated remote attackers to execute arbitrary system commands with root-level privileges by submitting a maliciously crafted HTTP request. The vulnerability arises from insufficient input sanitization of user-supplied data within the debug.pl script, which is accessible without requiring authentication. Affected systems include all versions of the Storage Concentrator appliance and its virtual counterpart (SCVM). The CVSS score of 10.0 reflects the highest severity due to the combination of remote exploitability, lack of authentication requirements, and potential for full system compromise. Immediate remediation is strongly advised. Administrators should apply vendor-released patches or workarounds to mitigate exposure. In the absence of patches, network-level restrictions to block unauthorized access to the debug.pl endpoint may reduce risk. Organizations are urged to monitor official channels for updates and prioritize deployment of fixes to eliminate the potential for remote code execution.

Stay Informed

Subscribe to get advisories like this delivered to your inbox.

Subscribe to Alerts