Data Centers Exposed: Open-Source openDCIM Exploit Chain Actively Weaponized for In-the-Wild Takeovers
Do Son 
Threat intelligence analysts from VulnCheck have intercepted the inaugural wave of cyber-intrusions weaponizing critical vulnerabilities within openDCIM, an open-source Data Center Infrastructure Management platform. Peripheral adversaries have already automated their scanning routines to isolate vulnerable instances and are aggressively deploying web shells to secure persistent, remote administrative access.
The intrusion campaign leverages a highly potent exploit chain consisting of three distinct vulnerabilities: CVE-2026-28515, CVE-2026-28516, and CVE-2026-28517. According to VulnCheck telemetry, the current offensive activity originates from a singular IP address geolocated in China. To identify susceptible infrastructure, the actors are believed to be utilizing a bespoke, heavily modified iteration of Vulnhuntr—an artificial intelligence-driven static and dynamic analysis utility engineered to map software vulnerabilities.
Enterprises deploy openDCIM to orchestrate low-level data center assets, including server rack configurations, network topologies, power distribution units, and peripheral hardware inventory. Among the internet-facing installations mapped by external scans, a significant portion resides within academic and educational networks. While analysts enumerated fewer than fifty publicly exposed instances globally, platforms of this typology are ubiquitously embedded deep within the internal intranet perimeters of corporate and institutional networks.
The hybridized exploit chain yields unauthenticated remote code execution on the target host. The initial point of failure resides within the install.php setup script, which routinely remains accessible post-deployment. This oversight allows an interloper to manipulate the core configuration parameters of openDCIM without undergoing any access control validation. The adversary subsequently introduces a malicious SQL injection payload to hijack configuration variables, ultimately spawning arbitrary operating system commands via the native exec() runtime wrapper.
The vector presents an elevated degree of hazard to organizations employing the official Docker containerized distribution of openDCIM. To bypass formal authentication workflows, numerous administrators traditionally activated the REMOTE_USER environment variable via the Apache SetEnv directive. Consequently, the core application logic blindly adjudicated all inbound web requests as pre-authenticated. In this precise configuration, the exploitation sequence bypasses credential challenges entirely.
Defensive validation proofs demonstrate that absolute host compromise is achieved in under a second. The automated exploit binary seamlessly generates a volatile backup of the active configuration, injects the malicious execution payload, spawns an interactive reverse shell, and meticulously restores the baseline system variables to systematically erase forensic indicators.
These structural anomalies were originally isolated by VulnCheck security researcher Valentin Lobstein on February 27. While definitive patches were compiled and submitted to the openDCIM development core that same day, the project’s lead maintainer summarily closed the pull request without performing a formal code review. Following this maintainer rejection, Lobstein published the exhaustive technical forensics alongside a functional, weaponized utility to exploit the vulnerabilities.
VulnCheck has officially inducted CVE-2026-28515 and CVE-2026-28517 into its Known Exploited Vulnerabilities ledger. The intelligence firm issues a stern warning that openDCIM topologies are routinely co-located within high-value network zones adjacent to core server provisioning interfaces and backbone network hardware; consequently, a singular compromise of this asset surrenders an unhindered pivot vector into the crown jewels of an organization’s critical infrastructure.
Donate