Unauthenticated OS Command Injection in Vitec Flamingo
Vitec Flamingo version 4.12.2 contains an unauthenticated OS command injection vulnerability (CVE-2026-60121) in the `admin/ajax/ping.php` endpoint, allowing remote attackers to execute arbitrary commands with root privileges via a double-evaluation flaw in shell argument handling through the `host` POST parameter.
What's new
- l2 added CVE-2026-61498 Jul 13, 14:18 via nvd
A critical unauthenticated OS command injection vulnerability, tracked as CVE-2026-60121, has been identified in Vitec Flamingo version 4.12.2. This flaw exists within the admin/ajax/ping.php endpoint and stems from a double-evaluation issue in the handling of shell arguments. Remote attackers can exploit this by manipulating the host POST parameter with crafted shell metacharacters. Although escapeshellarg() is initially applied, an internal system wrapper retrieves the decoded value from argv and uses it in a subsequent shell_exec() call without proper escaping, leading to arbitrary command execution with root privileges through passwordless sudo. This allows for complete system compromise without prior authentication, posing a severe risk to organizations using vulnerable Vitec Flamingo instances.
Attack Chain
- An unauthenticated remote attacker sends an HTTP POST request to the
admin/ajax/ping.phpendpoint of a vulnerable Vitec Flamingo instance. - The attacker includes a maliciously crafted
hostPOST parameter containing shell metacharacters (e.g.,127.0.0.1;id). - The application applies
escapeshellarg()to thehostparameter, seemingly neutralizing the injection attempt. - An internal system wrapper, designed to execute network
pingcommands, retrieves the decoded value of thehostparameter directly from itsargv(argument vector). - The wrapper then incorporates this decoded, unescaped value into a second, internal
shell_exec()call without applying further sanitization. - The injected shell commands (e.g.,
idor other arbitrary commands) are executed on the underlying operating system. - The executed commands inherit privileges, and due to system configuration (e.g., passwordless
sudofor thepingcommand's execution context), they run with root privileges. - The attacker achieves arbitrary OS command execution with root privileges, leading to full system compromise, data exfiltration, or further lateral movement.
Impact
Successful exploitation of CVE-2026-60121 results in unauthenticated remote code execution with root privileges on the affected Vitec Flamingo server. This critical vulnerability allows attackers to gain complete control over the system, potentially leading to unauthorized data access, modification, or destruction, installation of persistent backdoors, and use of the compromised server as a pivot point for further attacks within the network. Organizations running vulnerable versions face severe risks including critical data breaches, significant operational disruption, and reputational damage.
Recommendation
- Patch CVE-2026-60121 immediately by upgrading Vitec Flamingo to a version beyond 4.12.2 or applying any vendor-provided security patches.
- Deploy the
Detects CVE-2026-60121 Exploitation - Flamingo RCESigma rule to your SIEM to detect exploitation attempts against theadmin/ajax/ping.phpendpoint. - Monitor webserver logs for HTTP POST requests to
/admin/ajax/ping.phpcontaining unusual or shell-like characters in the query string or request body.
Detection coverage 1
Detects CVE-2026-60121 Exploitation - Flamingo RCE
highDetects CVE-2026-60121 exploitation - HTTP POST requests to admin/ajax/ping.php with shell metacharacters in parameters, indicating OS command injection attempt.
Detection queries are available on the platform. Get full rules →