External risk intelligence

Open XDMoD Command Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-45777

A critical vulnerability in Open XDMoD allows remote attackers to execute arbitrary commands on affected servers, potentially leading to data compromise or service disruption. All deployments of Open XDMoD versions 9.5.0 through 11.0.2 are impacted, and immediate review of affected systems is recommended.

3Halo Surface Signal

OS Command Injection

Buffalo Open Xdmod

9.5.0 to before 11.0.3

External exposure likelihood

Halo Surface Signal score for CVE-2026-45777

Open XDMoD is an HPC metrics analysis tool typically deployed within internal research or academic network environments to monitor infrastructure, rather than as a public-facing web service. While it is a web application and potentially reachable if exposed, it is not standard practice to expose such performance monitoring portals directly to the public internet.

PCI scan relevance

PCI Relevance for CVE-2026-45777

Yes

CVE-2026-45777 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Open XDMoD allows remote command execution, impacting system integrity and availability.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Open XDMoD, an HPC metrics analysis framework, affecting versions 9.5.0 through 11.0.2. This flaw allows remote attackers to execute arbitrary system commands, potentially leading to unauthorized access, modification of data, or service disruption. While there is currently no evidence of exploitation, the severity of this vulnerability necessitates a review of affected systems.

  • Remote attackers can run commands on servers.
  • Affects HPC metrics analysis tools.
  • Confirm relevance and exposure of this tool.

Attack Path

How an attacker could exploit the issue

An attacker could reach an exposed web server running Open XDMoD and execute arbitrary commands. By exploiting this vulnerability, an attacker could gain control over the server, allowing them to access or change sensitive data and disrupt operations.

  • No authentication or special access needed.
  • Remotely trigger command execution.
  • Full server control risk.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, this vulnerability could allow an attacker to remotely execute arbitrary system commands on the web server hosting Open XDMoD. This could lead to the modification or reading of application data, changes to system configuration, or disruption of service availability.

  • System commands on web server.
  • Remote execution of arbitrary commands.
  • Potential disruption or modification of service.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The application owner or platform team is likely responsible for addressing this critical vulnerability in Open XDMoD. The immediate priority is to identify all instances of the affected software, assess their exposure and business criticality, and then plan remediation. Coordination with the vendor for patching or applying manual workarounds is essential.

  • Identify affected Open XDMoD instances.
  • Verify exposure and business criticality.
  • Plan and coordinate remediation.

Frequently asked questions

What is Open XDMoD?

Open XDMoD is an open-source framework designed for high-performance computing (HPC) environments. Administrators use it to collect, analyze, and report on infrastructure metrics, helping them understand how computing resources are being utilized. It functions as a web-based dashboard that visualizes system performance data for research and academic institutions.

How does CVE-2026-45777 impact Open XDMoD?

This vulnerability is classified as CWE-78, which refers to improper neutralization of special elements used in an OS command. In plain English, the application fails to properly filter input, allowing an attacker to inject their own commands into the system. Because the web server process runs these commands, the attacker gains the same level of authority as the server itself.

Do I need to be authenticated to trigger this flaw?

No, this vulnerability does not require authentication. An attacker can attempt to trigger it remotely without needing valid user credentials. Simply interacting with the vulnerable web interface is sufficient to initiate the command execution. However, the attack will only succeed if the server is reachable; it cannot be triggered by someone who lacks network access to the web application.

Is my deployment at risk according to Halo Surface Signal?

Halo Surface Signal notes that Open XDMoD is generally used for internal infrastructure monitoring within research or academic networks rather than being public-facing. While the software is inherently vulnerable, your specific risk level depends on whether you have exposed this internal dashboard to the broader internet. Systems kept on private, restricted networks are less reachable to external attackers.

When should I update my Open XDMoD software?

You should prioritize updating as soon as possible. The vulnerability is fully patched in version 11.0.3, which was released in May 2026. If you cannot perform a full software update immediately, the advisory recommends applying the provided manual patch to secure your server against unauthorized command execution.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified