VulnCheck says attackers are chaining three critical bugs (CVE-2026-28515, CVE-2026-28517, CVE-2026-28516) in openDCIM, an open-source data center management web app, to drop PHP web shells on exposed installs. All three rate CVSS 9.3 and cover missing authorization, OS command injection, and SQL injection. They can be combined over five HTTP requests to land a reverse shell. The activity comes from a single Chinese IP using what VulnCheck describes as a customized version of Vulnhuntr, a public AI-driven vulnerability discovery tool. The campaign is one of the first publicly documented cases of an open-source AI vuln scanner being repurposed for real-world exploitation.