External risk intelligence

Storage Concentrator SQL Injection via Cookie Values

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-55721

The vulnerability exists in login and debug scripts of a storage concentrator, which are typically exposed as web-based management interfaces or portals. Since the flaw is accessible via cookies without authentication, it constitutes a public-facing, unauthenticated internet service that is designed for remote access or administrative interaction.

SQL Injection

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in Storage Concentrator products that allows unauthenticated attackers to potentially access sensitive data through manipulated login or debug scripts. The issue stems from inadequate sanitization of cookie values, which are directly used in database queries, posing a risk of unauthorized information disclosure.

  • Allows unauthorized access to sensitive data.
  • Affects systems often exposed for remote management.
  • Confirm relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted cookie values to the affected Storage Concentrator device. Since the login and debug scripts do not properly sanitize these cookie values, the attacker can inject malicious SQL code. This allows the attacker to bypass authentication and query the database for sensitive information.

  • Requires network access.
  • Triggered via crafted cookie values.
  • Leads to unauthorized data access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated remote attacker to manipulate database queries by injecting malicious SQL code into cookie values. This may lead to the extraction of sensitive information, such as session tokens, password hashes, and secret keys, from the Storage Concentrator's database when processed by the login.pl and debug.pl scripts.

  • Session tokens and secrets at risk.
  • SQL injection via unauthenticated cookies.
  • Unauthorized access to sensitive data.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Storage Concentrator (SC & SCVM) SQL injection vulnerability likely falls under the responsibility of infrastructure or platform teams managing the Storage Concentrator appliances, with input from security teams for exposure assessment and vendor management teams for coordinating with the vendor. The first practical step is to identify all instances of Storage Concentrator, determine their internet reachability and business criticality, and then engage the accountable owner to plan remediation or implement temporary risk reduction measures.

  • Infrastructure or platform teams own remediation.
  • Verify internet-facing instances and criticality.
  • Coordinate with the vendor for a fix.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Storage Concentrator product affected by CVE-2026-55721?

Storage Concentrator (SC and SCVM) is a hardware or virtualized appliance designed to manage data storage environments. It typically provides web-based management interfaces that administrators use to configure storage parameters, monitor health, and perform maintenance tasks. These interfaces rely on underlying scripts to process user interactions and manage data within the device's internal database.

What is the SQL injection weakness in this CVE?

This vulnerability is classified as CWE-89. It occurs because the software fails to sanitize input provided through cookies before using them in database commands. Because the system trusts these cookie values, an attacker can insert malicious SQL code. This allows them to manipulate the database's logic to retrieve information that should remain private, such as stored password hashes, session tokens, and cryptographic secret keys.

How is this vulnerability triggered?

An attacker triggers the flaw by sending a network request to the device with a specifically crafted cookie value. The vulnerability resides specifically within the login.pl and debug.pl scripts. Because the bug is tied to these specific processing scripts, simply connecting to the device's main web portal without interacting with these scripts does not necessarily trigger the exploit; it requires the processing of the malicious cookie during these specific script executions.

Is my Storage Concentrator at risk?

Halo Surface Signal indicates that this vulnerability is highly relevant if your device's web management interface is internet-facing. Because the exploit does not require authentication and targets cookies, any instance directly reachable from the public internet is at a much higher risk. Internal systems are generally safer, but they remain susceptible if an attacker has already gained a foothold on your local network and can reach the management interface.

What steps should I take if I use this software?

Start by performing an inventory to locate all deployed Storage Concentrator appliances in your environment. Prioritize identifying which units are accessible over the internet versus those restricted to internal management networks. Once mapped, coordinate with your infrastructure or platform team to assess the criticality of each device and prepare to implement official vendor updates or temporary risk-mitigation measures as they become available.

References