CVE-2026-50110
Use of Hard-coded Credentials in StoneFly Storage Concentrator
CVSS Score
9.2
EPSS Score
0.0%
EPSS Percentile
0th
Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of internal services, including database accounts, licensing, replication services, and third-party integrations, meaning successful exploitation of this vulnerability could provide an attacker with unauthorized access to multiple interconnected systems.
| CWE | CWE-798 |
| Vendor | stonefly |
| Product | storage concentrator |
| Published | Jun 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for stonefly storage concentrator
Be the first to know when new critical vulnerabilities affecting stonefly storage concentrator are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
Affected Versions
StoneFly / Storage Concentrator
0 < 8.0.4.26
StoneFly / Storage Concentrator Virtual Machine
0 < 8.0.4.26
References
Credits
๐ David Yesland of Rhino Security Labs reported this vulnerability to CISA.