CVE-2026-28517
published 2026-02-27CVE-2026-28517: openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot'…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.65%
92.0th percentile
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opendcim | opendcim | <= 23.04 | — |
| opendcim | opendcim | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP requests to report_network_map.php on openDCIM installations, particularly when preceded by POST requests to install.php with LDAP configuration parameters — this is the exploit chain trigger sequence. ↗
- →Alert on web server processes (e.g., Apache/www-data) spawning unexpected child processes or shells, as the OS command injection executes in the context of the web server process. ↗
- →The three CVEs (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517) are chained across five HTTP requests to achieve RCE and spawn a reverse shell — correlate sequences of requests to install.php and report_network_map.php within a short time window. ↗
- →Check for modifications to the Graphviz dot binary path stored in the fac_Config database table, as attackers overwrite this value to point to a malicious binary or command as part of the exploit chain. ↗
- ·The OS command injection in report_network_map.php is only exploitable if an attacker can first modify the fac_Config.dot database value — in practice this requires chaining with CVE-2026-28516 (SQL injection) and/or CVE-2026-28515 (missing authorization on LDAP config endpoint). ↗
- ·In Docker deployments where REMOTE_USER is set without authentication enforcement, the LDAP configuration endpoint (CVE-2026-28515) may be reachable without credentials, lowering the bar for the full exploit chain. ↗
- ·The Metasploit module was tested against openDCIM versions 23.04 through 25.01 on Ubuntu with Apache; coverage on other OS/web server combinations is unconfirmed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-428h-8xhf-g3cw: openDCIM version 23
ghsa_unreviewed·2026-02-28
CVE-2026-28517 [CRITICAL] CWE-78 GHSA-428h-8xhf-g3cw: openDCIM version 23
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitation. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.
VulnCheck
opendcim opendcim Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2026·CVSS 9.3
CVE-2026-28517 [CRITICAL] opendcim opendcim Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
opendcim opendcim Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.
Affected: opendcim opendcim
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2026-28517&date=2
No detection rules found.
Hackernews
NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
blogs_hackernews·2026-05-17·CVSS 9.2
CVE-2026-42945 [CRITICAL] NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck .
The vulnerability, tracked as CVE-2026-42945 (CVSS score: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0. According to AI-native security company depthfirst, the vulnerability was introduced in 2008.
Successful exploitation of the flaw can permit an unauthenticated attacker to crash worker processes or execute r
Rapid7
Metasploit Wrap-Up 04/17/2026
blogs_rapid7·2026-04-17·CVSS 9.8
CVE-2026-28501 [CRITICAL] Metasploit Wrap-Up 04/17/2026
## Happy Friday - Seven New Metasploit Modules
We’re happy to announce that Metasploit Framework had a big week, landing seven new modules alongside various bug fixes and enhancements. This week’s highlights include RCE modules targeting AVideo, openDCIM, Selenium Grid/Selenoid, and ChurchCRM. On the post-exploitation side, Windows saw three new persistence techniques added as modules, targeting Telemetry scheduled tasks, PowerShell profiles, and Microsoft BITS.
What a time to be alive as a Metasploit user! We wish you all a wonderful weekend and happy hacking.
## New module content (7)
## AVideo Unauthenticated SQL Injection Credential Dump
Authors: Valentin Lobstein [email protected] and arkmarta
Type: Auxiliary
Pull request: #21075 contributed by Chocapikk
Path: gather/avideo_ca
https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/https://github.com/Chocapikk/opendcim-exploithttps://github.com/opendcim/openDCIM/blob/4467e9c4/report_network_map.php#L467https://github.com/opendcim/openDCIM/blob/4467e9c4/report_network_map.php#L7https://github.com/opendcim/openDCIM/pull/1664https://github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c269560793e47c577ddda09https://www.vulncheck.com/advisories/opendcim-os-command-injection-via-dot-configuration-parameter
2026-02-27
Published
Exploited in the wild