CVE-2026-28517
Published: 27 February 2026
Summary
CVE-2026-28517 is a critical-severity OS Command Injection (CWE-78) vulnerability in Opendcim Opendcim. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
openDCIM version 23.04 through commit 4467e9c4 contains an OS command injection vulnerability in report_network_map.php. The application retrieves the dot configuration parameter from the database and passes it directly to an exec() call without validation or sanitization, allowing arbitrary operating system commands to run if the fac_Config.dot value is altered. The flaw is tracked as CWE-78 and carries a CVSS 4.0 score of 9.3.
An attacker able to modify the fac_Config.dot database entry can execute arbitrary commands in the context of the web server process. The CVSS vector indicates the issue is exploitable over the network without authentication or user interaction, so any vector that grants write access to the configuration table, such as a separate SQL injection, would enable remote code execution.
Public references include a detailed write-up on chaining SQL injection to achieve RCE, a functional exploit repository, the vulnerable code locations in report_network_map.php, and pull request 1664 that addresses the issue. The EPSS score sits at 0.3137 with no material rise from a lower baseline.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9098
Vulnerability details
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an attacker can modify the…
more
fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated OS command injection in a public-facing web application (openDCIM), directly enabling T1190 (Exploit Public-Facing Application) for remote code execution. It facilitates arbitrary shell command execution via PHP exec(), mapping to T1059.004 (Unix Shell).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of all inputs (including database-sourced configuration values) before they are used in system calls such as exec().
Enforces access-control policy on the configuration table so that only authorized subjects may modify fac_Config.dot, blocking the prerequisite write needed for command injection.
Mandates integrity verification of configuration data, enabling detection of unauthorized changes to fac_Config.dot that would enable the OS command injection.