<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Flamingo 4.12.2 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/flamingo-4.12.2/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 13 Jul 2026 14:17:52 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/flamingo-4.12.2/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unauthenticated OS Command Injection in Vitec Flamingo</title><link>https://feed.craftedsignal.io/briefs/2026-07-vitec-flamingo-rce/</link><pubDate>Mon, 13 Jul 2026 14:17:52 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-vitec-flamingo-rce/</guid><description>Vitec Flamingo version 4.12.2 contains an unauthenticated OS command injection vulnerability (CVE-2026-60121) in the `admin/ajax/ping.php` endpoint, allowing remote attackers to execute arbitrary commands with root privileges via a double-evaluation flaw in shell argument handling through the `host` POST parameter.</description><content:encoded><![CDATA[<p>A critical unauthenticated OS command injection vulnerability, tracked as CVE-2026-60121, has been identified in Vitec Flamingo version 4.12.2. This flaw exists within the <code>admin/ajax/ping.php</code> endpoint and stems from a double-evaluation issue in the handling of shell arguments. Remote attackers can exploit this by manipulating the <code>host</code> POST parameter with crafted shell metacharacters. Although <code>escapeshellarg()</code> is initially applied, an internal system wrapper retrieves the <em>decoded</em> value from <code>argv</code> and uses it in a subsequent <code>shell_exec()</code> call without proper escaping, leading to arbitrary command execution with root privileges through passwordless sudo. This allows for complete system compromise without prior authentication, posing a severe risk to organizations using vulnerable Vitec Flamingo instances.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated remote attacker sends an HTTP POST request to the <code>admin/ajax/ping.php</code> endpoint of a vulnerable Vitec Flamingo instance.</li>
<li>The attacker includes a maliciously crafted <code>host</code> POST parameter containing shell metacharacters (e.g., <code>127.0.0.1;id</code>).</li>
<li>The application applies <code>escapeshellarg()</code> to the <code>host</code> parameter, seemingly neutralizing the injection attempt.</li>
<li>An internal system wrapper, designed to execute network <code>ping</code> commands, retrieves the <em>decoded</em> value of the <code>host</code> parameter directly from its <code>argv</code> (argument vector).</li>
<li>The wrapper then incorporates this decoded, unescaped value into a second, internal <code>shell_exec()</code> call without applying further sanitization.</li>
<li>The injected shell commands (e.g., <code>id</code> or other arbitrary commands) are executed on the underlying operating system.</li>
<li>The executed commands inherit privileges, and due to system configuration (e.g., passwordless <code>sudo</code> for the <code>ping</code> command's execution context), they run with root privileges.</li>
<li>The attacker achieves arbitrary OS command execution with root privileges, leading to full system compromise, data exfiltration, or further lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-60121 results in unauthenticated remote code execution with root privileges on the affected Vitec Flamingo server. This critical vulnerability allows attackers to gain complete control over the system, potentially leading to unauthorized data access, modification, or destruction, installation of persistent backdoors, and use of the compromised server as a pivot point for further attacks within the network. Organizations running vulnerable versions face severe risks including critical data breaches, significant operational disruption, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-60121 immediately by upgrading Vitec Flamingo to a version beyond 4.12.2 or applying any vendor-provided security patches.</li>
<li>Deploy the <code>Detects CVE-2026-60121 Exploitation - Flamingo RCE</code> Sigma rule to your SIEM to detect exploitation attempts against the <code>admin/ajax/ping.php</code> endpoint.</li>
<li>Monitor webserver logs for HTTP POST requests to <code>/admin/ajax/ping.php</code> containing unusual or shell-like characters in the query string or request body.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>os-command-injection</category><category>rce</category><category>web-application</category><category>linux</category></item></channel></rss>