Happy Friday! The following are the Initial Access Intelligence team's deliverables for the past week.
This week, the team developed an exploit for CVE-2026-28515, CVE-2026-28516, and CVE-2026-28517, a chain of vulnerabilities in openDCIM that allows for unauthenticated remote code execution. CVE-2026-28515 is an exposed page that allows unauthenticated users to set configuration values; CVE-2026-28516 is an unsanitized config used in a SQL statement leading to SQL injection; and CVE-2026-28517 uses the SQL value in an OS command, allowing for OS command injection. A public write-up and Metasploit module are available courtesy of Chocapikk, and our testing confirmed default installations are exploitable without authentication. Targets with authentication enabled require a valid account (any valid account). Our FOFA query finds fewer than 50 hosts online, most of which belong to higher education institutions. openDCIM is used for data center infrastructure management, making this target niche but high-value.
Our exploit comes with a target Docker container, ASM queries, a version scanner, Suricata and Snort rules, and PCAPs. CVE-2026-28516 and CVE-2026-28517 have Suricata and Snort rules specific to each stage of exploitation, targeting the injection request pattern and the network request that triggers execution, respectively. The full exploit is packaged under CVE-2026-28515.
The team developed an exploit for CVE-2026-23696, a critical SQL injection vulnerability in Windmill CE and EE versions also discovered by Chocapikk. The vulnerability allows any authenticated user to escalate privileges to "super admin" and achieve remote code execution by extracting JWT secrets to forge admin tokens. ZoomEye reports over 800 exposed targets on the internet. The vulnerability isn't yet known to be exploited in the wild. Our exploit comes with PCAPs, network rules, a Docker container, and ASM queries.
The team added an exploit for CVE-2026-5027, a critical unauthenticated remote code execution vulnerability in Langflow <= 1.8.4. Because Langflow enables unauthenticated auto-login by default, no credentials are required to reach the vulnerable endpoint, and a single unauthenticated request is sufficient to obtain a valid session token before proceeding with exploitation. Disclosed in March 2026, the vulnerability isn't yet known to be exploited in the wild; VulnCheck's exploit marks the first known weaponized exploit for this issue. Our ASM queries identify nearly 2,700 Langflow instances on the public internet. Our exploit comes with PCAPs, Suricata and Snort rules, and ASM queries.
The team also added an exploit for CVE-2025-10230, a critical unauthenticated remote code execution vulnerability in Samba. When a Samba server is configured as a domain controller with WINS support, specific malicious traffic can lead to RCE via command injection. Public proof-of-concept code is available, though no exploitation in the wild has been observed yet. VulnCheck's exploit for this vulnerability is the first to fully weaponize the flaw. Shodan shows just shy of 5K internet-exposed Samba servers. Our exploit comes with PCAPs, Suricata and Snort rules, and ASM queries.