Skip to content
Threat Feed
critical advisory

Unauthenticated OS Command Injection in Vitec Flamingo

Vitec Flamingo version 4.12.2 contains an unauthenticated OS command injection vulnerability (CVE-2026-60121) in the `admin/ajax/ping.php` endpoint, allowing remote attackers to execute arbitrary commands with root privileges via a double-evaluation flaw in shell argument handling through the `host` POST parameter.

What's new

  • l2 added CVE-2026-61498 Jul 13, 14:18 via nvd

A critical unauthenticated OS command injection vulnerability, tracked as CVE-2026-60121, has been identified in Vitec Flamingo version 4.12.2. This flaw exists within the admin/ajax/ping.php endpoint and stems from a double-evaluation issue in the handling of shell arguments. Remote attackers can exploit this by manipulating the host POST parameter with crafted shell metacharacters. Although escapeshellarg() is initially applied, an internal system wrapper retrieves the decoded value from argv and uses it in a subsequent shell_exec() call without proper escaping, leading to arbitrary command execution with root privileges through passwordless sudo. This allows for complete system compromise without prior authentication, posing a severe risk to organizations using vulnerable Vitec Flamingo instances.

Attack Chain

  1. An unauthenticated remote attacker sends an HTTP POST request to the admin/ajax/ping.php endpoint of a vulnerable Vitec Flamingo instance.
  2. The attacker includes a maliciously crafted host POST parameter containing shell metacharacters (e.g., 127.0.0.1;id).
  3. The application applies escapeshellarg() to the host parameter, seemingly neutralizing the injection attempt.
  4. An internal system wrapper, designed to execute network ping commands, retrieves the decoded value of the host parameter directly from its argv (argument vector).
  5. The wrapper then incorporates this decoded, unescaped value into a second, internal shell_exec() call without applying further sanitization.
  6. The injected shell commands (e.g., id or other arbitrary commands) are executed on the underlying operating system.
  7. The executed commands inherit privileges, and due to system configuration (e.g., passwordless sudo for the ping command's execution context), they run with root privileges.
  8. The attacker achieves arbitrary OS command execution with root privileges, leading to full system compromise, data exfiltration, or further lateral movement.

Impact

Successful exploitation of CVE-2026-60121 results in unauthenticated remote code execution with root privileges on the affected Vitec Flamingo server. This critical vulnerability allows attackers to gain complete control over the system, potentially leading to unauthorized data access, modification, or destruction, installation of persistent backdoors, and use of the compromised server as a pivot point for further attacks within the network. Organizations running vulnerable versions face severe risks including critical data breaches, significant operational disruption, and reputational damage.

Recommendation

  • Patch CVE-2026-60121 immediately by upgrading Vitec Flamingo to a version beyond 4.12.2 or applying any vendor-provided security patches.
  • Deploy the Detects CVE-2026-60121 Exploitation - Flamingo RCE Sigma rule to your SIEM to detect exploitation attempts against the admin/ajax/ping.php endpoint.
  • Monitor webserver logs for HTTP POST requests to /admin/ajax/ping.php containing unusual or shell-like characters in the query string or request body.

Detection coverage 1

Detects CVE-2026-60121 Exploitation - Flamingo RCE

high

Detects CVE-2026-60121 exploitation - HTTP POST requests to admin/ajax/ping.php with shell metacharacters in parameters, indicating OS command injection attempt.

sigma tactics: execution, initial_access, privilege_escalation techniques: T1059.006, T1068, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →