CVE-2026-56413
CriticalCVSS 10.0Exploitation Probability (EPSS)
High risk86th percentile — higher than 86% of all known CVEs
Summary
A command injection vulnerability in the ms_service.pl service of Storage Concentrator (SC & SCVM) allows an unauthenticated remote attacker to execute arbitrary commands with root privileges by sending a specially crafted packet to the default TCP port 9000.
Risk Assessment
An attacker can gain full control over the device, compromising confidentiality, integrity, and availability of data, and potentially spreading the attack within the internal network.
Recommendation
Immediately update the Storage Concentrator software to a patched version and restrict access to TCP port 9000 to trusted hosts only using a firewall.
Original NVD description (English source)
Storage Concentrator (SC & SCVM) contains a command injection vulnerability in the ms_service.pl service, which listens on TCP port 9000 by default and accepts custom network packets to perform device actions. An unauthenticated remote attacker can send a specially crafted packet containing a malicious payload that is processed without adequate sanitization, resulting in arbitrary command execution with root-level privileges.

