External risk intelligence

DedeCMS V5.7.118 Command Execution in file_manage_control.php

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38615

A critical command execution vulnerability exists in DedeCMS's file management functionality, potentially allowing unauthenticated network access to execute arbitrary commands on affected systems. This could lead to a complete system compromise, impacting data integrity and availability, making it crucial to identify a

4Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-38615

DedeCMS is a content management system designed to be deployed as a public-facing web application. The vulnerability exists in a file management component that is often accessible within the application's administrative or functional interface, which is commonly exposed to the internet in standard web deployments.

PCI scan relevance

PCI Relevance for CVE-2026-38615

Yes

CVE-2026-38615 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This command execution vulnerability in DedeCMS V5.7.118 is relevant for PCI scans due to its potential to allow remote code execution.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in DedeCMS software, specifically in a file management component that could allow for unauthorized command execution. While the exact business impact depends on whether your organization uses this specific software, such flaws can enable attackers to take control of systems, potentially leading to data breaches or service disruptions. It is important to determine if this technology is in use and assess exposure.

Allows unauthorized control of systems.
Could impact public-facing web applications.
Confirm if this software is in use.

Attack Path

How an attacker could exploit the issue

An attacker could target a DedeCMS instance through the network, exploiting a weakness in its file management feature. This could allow them to execute arbitrary commands on the server, potentially leading to a complete compromise of the system.

Accessible via the network.
Triggers via file management feature.
Risk of full system compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in DedeCMS could allow an unauthenticated attacker to execute arbitrary commands on the server when a file management feature is accessible. This could affect the integrity and availability of the DedeCMS application and potentially the underlying server.

Server-side commands could be executed.
Network access to vulnerable function.
System compromise and data loss.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in DedeCMS's file management component requires immediate attention from teams managing web applications and their underlying infrastructure. The first step is to identify all DedeCMS installations, determine their exposure and criticality, and assign ownership to an accountable team for risk-based remediation planning.

Application owners should confirm installations.
Verify internet reachability and business impact.
Plan remediation based on identified risk.

Frequently asked questions

What is DedeCMS and how is it used?

DedeCMS is a PHP-based content management system used to build and maintain websites. It provides tools for creating, editing, and managing digital content, including features for file management and administrative control over the site's server environment.

What does CVE-2026-38615 mean for my security?

This vulnerability is classified as CWE-78, or OS Command Injection. It occurs when an application fails to properly filter user input before passing it to the underlying operating system. In this case, it allows an attacker to run unauthorized commands on your server, effectively gaining control over the system's functions and data.

How is this DedeCMS command execution triggered?

The flaw is triggered when an attacker interacts with the specific file_manage_control.php file over the network. It does not require the attacker to have a pre-existing account or administrative privileges to initiate the command; simply reaching the functional interface of this file is sufficient.

Is my instance at risk according to Halo Surface Signal?

Because DedeCMS is typically deployed as a public-facing web application, Halo Surface Signal flags this as a highly relevant risk. If your installation is reachable via the internet, it is exposed to external actors, making it a priority to investigate regardless of whether it is an internal tool or a public site.

How do I respond to this vulnerability?

Start by locating every DedeCMS installation within your environment to understand your footprint. Once identified, evaluate whether the application needs to remain internet-facing and work with the responsible teams to prioritize security updates or restrict network access to the affected file management interface until a permanent solution is applied.

References

github.com/Bul11et/CMS/blob/main/1.docx

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.