OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
Summary
Hide ▲
Show ▼
openDCIM is seeing an active exploitation wave tied to CVE-2026-28515, CVE-2026-28516, and CVE-2026-28517, with attackers targeting vulnerable installations and moving toward remote code execution. The activity has been linked to a single Chinese IP and automated checks for exposed deployments before a PHP web shell is dropped. The flaws can be chained in as few as five HTTP requests to reach a reverse shell on affected systems. That makes unpatched openDCIM deployments a live compromise risk, not just a theoretical issue.
Related Happenings
NGINX web server critical flaws (multiple vulnerabilities)
Vulnerability
H score38
First: 18.06.2026 14:33
Last: 18.06.2026 14:33
Sources 1
About this happening:
**NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...
NGINX web server critical flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...
HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)
Vulnerability
H score26
First: 03.06.2026 22:08
Last: 03.06.2026 22:08
Sources 1
About this happening:
**HTTP/2 servers** were found vulnerable to the **HTTP/2 Bomb** DoS weakness, where **HPACK compression amplification** plus **HTTP/2 flow-control stalling** lets a single client...
HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)
VulnerabilityAbout this happening: **HTTP/2 servers** were found vulnerable to the **HTTP/2 Bomb** DoS weakness, where **HPACK compression amplification** plus **HTTP/2 flow-control stalling** lets a single client...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/Mitigation
H score46
First: 03.06.2026 11:33
Last: 03.06.2026 11:33
Sources 1
About this happening:
Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
NGINX and Apache HTTPD HTTP/2 Bomb mitigations
Advisory/MitigationAbout this happening: Calif issued mitigation guidance for **NGINX** and **Apache HTTPD** operators after **HTTP/2 Bomb** was found to enable a **remote denial-of-service** against default HTTP/2 confi...
Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw
Vulnerability
H score39
First: 03.06.2026 11:33
Last: 03.06.2026 11:33
Sources 1
About this happening:
Researchers disclosed **HTTP/2 Bomb**, a **remote denial-of-service** vulnerability in **default HTTP/2 configurations** that can make **NGINX, Apache HTTPD, Microsoft IIS, Envoy,...
Major web servers HTTP/2 Bomb remote DoS denial-of-service flaw
VulnerabilityAbout this happening: Researchers disclosed **HTTP/2 Bomb**, a **remote denial-of-service** vulnerability in **default HTTP/2 configurations** that can make **NGINX, Apache HTTPD, Microsoft IIS, Envoy,...
NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)
Vulnerability
H score28
First: 14.05.2026 09:00
Last: 14.05.2026 09:00
Sources 1
How related:
A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck.
About this happening:
**CVE-2026-42945** exposes a **heap buffer overflow** in **NGINX Plus** and **NGINX Open Source** through **ngx_http_rewrite_module**, creating risk of **unauthenticated remote co...
NGINX Plus and NGINX Open Source ngx_http_rewrite_module heap buffer overflow remote code execution flaw (CVE-2026-42945)
VulnerabilityHow related: A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public disclosure, according to VulnCheck.
About this happening: **CVE-2026-42945** exposes a **heap buffer overflow** in **NGINX Plus** and **NGINX Open Source** through **ngx_http_rewrite_module**, creating risk of **unauthenticated remote co...
Timeline
-
17.05.2026 14:57 2 articles · 1mo ago
openDCIM CVE-2026-28515, CVE-2026-28516, and CVE-2026-28517 exploitation wave
Campaign Scope UpdateVulnCheck says openDCIM deployments are being targeted in an active exploitation wave involving CVE-2026-28515, CVE-2026-28516, and CVE-2026-28517. The observed activity is tied to a single Chinese IP that appears to use a customized implementation of Vulnhuntr to check for vulnerable installations before dropping a PHP web shell, and the three flaws can be chained over five HTTP requests to reach remote code execution and a reverse shell.
Show sources
- NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE — thehackernews.com — 17.05.2026 14:57
- NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE — thehackernews.com — 17.05.2026 14:57