CVE-2026-28517

CRITICAL EXPLOITED

openDCIM < 23.04 - OS Command Injection via fac_Config.dot Parameter

Title source: llm

Exploitation Summary

CVE-2026-28517 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit, including a Metasploit module exploits/linux/http/opendcim_install_sqli_rce.

AI-analyzed exploit summary This Metasploit module exploits a SQL injection vulnerability in openDCIM's install.php (CVE-2026-28515) to achieve remote code execution by poisoning the Graphviz dot binary path and triggering its execution via report_network_map.php.

Description

openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.

Exploits (1)

metasploit WORKING POC EXCELLENT

rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/opendcim_install_sqli_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits a SQL injection vulnerability in openDCIM's install.php (CVE-2026-28515) to achieve remote code execution by poisoning the Graphviz dot binary path and triggering its execution via report_network_map.php.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: openDCIM 23.04 through 25.01

No auth needed

Prerequisites: Access to install.php endpoint · Network access to the target

MITRE ATT&CK