{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/flamingo-4.12.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-60121"},{"cvss":9.8,"id":"CVE-2026-61498"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Flamingo 4.12.2"],"_cs_severities":["critical"],"_cs_tags":["os-command-injection","rce","web-application","linux"],"_cs_type":"advisory","_cs_vendors":["Vitec"],"content_html":"\u003cp\u003eA critical unauthenticated OS command injection vulnerability, tracked as CVE-2026-60121, has been identified in Vitec Flamingo version 4.12.2. This flaw exists within the \u003ccode\u003eadmin/ajax/ping.php\u003c/code\u003e endpoint and stems from a double-evaluation issue in the handling of shell arguments. Remote attackers can exploit this by manipulating the \u003ccode\u003ehost\u003c/code\u003e POST parameter with crafted shell metacharacters. Although \u003ccode\u003eescapeshellarg()\u003c/code\u003e is initially applied, an internal system wrapper retrieves the \u003cem\u003edecoded\u003c/em\u003e value from \u003ccode\u003eargv\u003c/code\u003e and uses it in a subsequent \u003ccode\u003eshell_exec()\u003c/code\u003e call without proper escaping, leading to arbitrary command execution with root privileges through passwordless sudo. This allows for complete system compromise without prior authentication, posing a severe risk to organizations using vulnerable Vitec Flamingo instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated remote attacker sends an HTTP POST request to the \u003ccode\u003eadmin/ajax/ping.php\u003c/code\u003e endpoint of a vulnerable Vitec Flamingo instance.\u003c/li\u003e\n\u003cli\u003eThe attacker includes a maliciously crafted \u003ccode\u003ehost\u003c/code\u003e POST parameter containing shell metacharacters (e.g., \u003ccode\u003e127.0.0.1;id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe application applies \u003ccode\u003eescapeshellarg()\u003c/code\u003e to the \u003ccode\u003ehost\u003c/code\u003e parameter, seemingly neutralizing the injection attempt.\u003c/li\u003e\n\u003cli\u003eAn internal system wrapper, designed to execute network \u003ccode\u003eping\u003c/code\u003e commands, retrieves the \u003cem\u003edecoded\u003c/em\u003e value of the \u003ccode\u003ehost\u003c/code\u003e parameter directly from its \u003ccode\u003eargv\u003c/code\u003e (argument vector).\u003c/li\u003e\n\u003cli\u003eThe wrapper then incorporates this decoded, unescaped value into a second, internal \u003ccode\u003eshell_exec()\u003c/code\u003e call without applying further sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected shell commands (e.g., \u003ccode\u003eid\u003c/code\u003e or other arbitrary commands) are executed on the underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe executed commands inherit privileges, and due to system configuration (e.g., passwordless \u003ccode\u003esudo\u003c/code\u003e for the \u003ccode\u003eping\u003c/code\u003e command's execution context), they run with root privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary OS command execution with root privileges, leading to full system compromise, data exfiltration, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-60121 results in unauthenticated remote code execution with root privileges on the affected Vitec Flamingo server. This critical vulnerability allows attackers to gain complete control over the system, potentially leading to unauthorized data access, modification, or destruction, installation of persistent backdoors, and use of the compromised server as a pivot point for further attacks within the network. Organizations running vulnerable versions face severe risks including critical data breaches, significant operational disruption, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-60121 immediately by upgrading Vitec Flamingo to a version beyond 4.12.2 or applying any vendor-provided security patches.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetects CVE-2026-60121 Exploitation - Flamingo RCE\u003c/code\u003e Sigma rule to your SIEM to detect exploitation attempts against the \u003ccode\u003eadmin/ajax/ping.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for HTTP POST requests to \u003ccode\u003e/admin/ajax/ping.php\u003c/code\u003e containing unusual or shell-like characters in the query string or request body.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T14:18:20Z","date_published":"2026-07-13T14:17:52Z","id":"https://feed.craftedsignal.io/briefs/2026-07-vitec-flamingo-rce/","summary":"Vitec Flamingo version 4.12.2 contains an unauthenticated OS command injection vulnerability (CVE-2026-60121) in the `admin/ajax/ping.php` endpoint, allowing remote attackers to execute arbitrary commands with root privileges via a double-evaluation flaw in shell argument handling through the `host` POST parameter.","title":"Unauthenticated OS Command Injection in Vitec Flamingo","url":"https://feed.craftedsignal.io/briefs/2026-07-vitec-flamingo-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Flamingo 4.12.2","version":"https://jsonfeed.org/version/1.1"}