Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-50110— Use of Hard-coded Credentials in StoneFly Storage Concentrator

CVSS 9.2 · Critical EPSS 0.13% · P3

Affected Version Matrix 4

VendorProductVersion RangeStatus
StoneFlyStorage Concentrator< 8.0.4.26affected
8.0.4.29unaffected
StoneFlyStorage Concentrator Virtual Machine< 8.0.4.26affected
8.0.4.29unaffected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-50110

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Use of Hard-coded Credentials in StoneFly Storage Concentrator
Source: NVD (National Vulnerability Database)
Vulnerability Description
Storage Concentrator (SC & SCVM) contains hardcoded credentials for numerous internal services embedded within a configuration file. While the credentials are stored in an encoded format, the encoding can be reversed to plaintext. The exposed credentials span a broad range of internal services, including database accounts, licensing, replication services, and third-party integrations, meaning successful exploitation of this vulnerability could provide an attacker with unauthorized access to multiple interconnected systems.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用硬编码的凭证
Source: NVD (National Vulnerability Database)
Vulnerability Title
StoneFly Storage Concentrator 信任管理问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
StoneFly storage concentrator是StoneFly公司的一种数据集中存储设备。 Storage Concentrator 8.0.4.26之前版本存在信任管理问题漏洞,该漏洞源于在配置文件中嵌入了硬编码凭据,虽然凭据以编码格式存储,但编码可被逆向为明文,暴露的凭据涵盖数据库账户、许可、复制服务和第三方集成等内部服务,可能导致攻击者未授权访问多个互联系统。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
StoneFlyStorage Concentrator 0 ~ 8.0.4.26 -
StoneFlyStorage Concentrator Virtual Machine 0 ~ 8.0.4.26 -

II. Public POCs for CVE-2026-50110

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-50110

登录查看更多情报信息。

Vendor Advisories for CVE-2026-50110 (2)

Vendor Pages for CVE-2026-50110 (1)

Same Patch Batch · StoneFly · 2026-06-30 · 5 CVEs total

CVE-2026-5641510.0 CRITICALOS Command Injection in StoneFly Storage Concentrator
CVE-2026-5641310.0 CRITICALOS Command Injection in StoneFly Storage Concentrator
CVE-2026-557219.3 CRITICALSQL Injection in StoneFly Storage Concentrator
CVE-2026-500406.1 MEDIUMCross-site Scripting in StoneFly Storage Concentrator

IV. Related Vulnerabilities

V. Comments for CVE-2026-50110

No comments yet


Leave a comment