CVE Catalog

CVE-2026-56413

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

High risk
3.08%

86th percentile — higher than 86% of all known CVEs

Summary

A command injection vulnerability in the ms_service.pl service of Storage Concentrator (SC & SCVM) allows an unauthenticated remote attacker to execute arbitrary commands with root privileges by sending a specially crafted packet to the default TCP port 9000.

Risk Assessment

An attacker can gain full control over the device, compromising confidentiality, integrity, and availability of data, and potentially spreading the attack within the internal network.

Recommendation

Immediately update the Storage Concentrator software to a patched version and restrict access to TCP port 9000 to trusted hosts only using a firewall.

Original NVD description (English source)

Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted packet containing a malicious payload that is processed without adequate sanitization, resulting in arbitrary command execution with root-level privileges.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS