module
openDCIM install.php SQL Injection to RCE
| Disclosed | Created |
|---|---|
| Feb 28, 2026 | Apr 15, 2026 |
Disclosed
Feb 28, 2026
Created
Apr 15, 2026
Description
This module exploits a SQL injection vulnerability in openDCIM's install.php
endpoint (CVE-2026-28515) to achieve remote code execution. The install.php
script remains accessible after installation and processes LDAP configuration
parameters via UpdateParameter() without authentication or input sanitization,
allowing stacked SQL queries.
The exploit chain works by injecting SQL through the LDAP configuration form
to overwrite the Graphviz dot binary path in fac_Config, then triggering
report_network_map.php which calls exec() with the poisoned value. A backup
of the original configuration is created before exploitation and restored
after payload delivery.
Tested against openDCIM 23.04 through 25.01 on Ubuntu with Apache.
endpoint (CVE-2026-28515) to achieve remote code execution. The install.php
script remains accessible after installation and processes LDAP configuration
parameters via UpdateParameter() without authentication or input sanitization,
allowing stacked SQL queries.
The exploit chain works by injecting SQL through the LDAP configuration form
to overwrite the Graphviz dot binary path in fac_Config, then triggering
report_network_map.php which calls exec() with the poisoned value. A backup
of the original configuration is created before exploitation and restored
after payload delivery.
Tested against openDCIM 23.04 through 25.01 on Ubuntu with Apache.
Author
Valentin Lobstein [email protected]
Platform
Linux,Unix
Architectures
cmd, x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.