CVE-2026-60121
VITEC · Flamingo
Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/ping.php endpoint due to improper shell argument handling.
Executive summary
A critical unauthenticated OS command injection vulnerability exists in Vitec Flamingo 4.12.2, allowing remote attackers to execute arbitrary commands with root privileges.
Vulnerability
This is an OS command injection vulnerability (CWE-78) occurring in the admin/ajax/ping.php endpoint. The application fails to properly sanitize user-supplied input, leading to a double-evaluation flaw where an attacker can execute arbitrary commands via passwordless sudo.
Business impact
This vulnerability carries a CVSS score of 9.8, reflecting its potential for total system compromise. Successful exploitation grants an attacker full root-level control over the affected appliance, which may lead to complete data exfiltration, permanent service disruption, and the potential for the device to be used as a pivot point within the internal network.
Remediation
Immediate Action: Identify and isolate all instances of Vitec Flamingo 4.12.2 from public-facing networks until a vendor-supplied patch is applied.
Proactive Monitoring: Monitor network traffic for unusual POST requests to the /admin/ajax/ping.php endpoint and review system logs for unexpected execution of shell commands.
Compensating Controls: Implement a Web Application Firewall (WAF) rule to block or sanitize requests containing shell metacharacters directed at the identified endpoint.
Exploitation status
Public Exploit Available: No (Exploit_available: unknown)
Analyst recommendation
Given the critical severity and the existence of a proof-of-concept, users must prioritize the deployment of vendor-supplied security updates. Organizations should ensure that the affected systems are not exposed to the public internet and verify that access controls are strictly enforced for administrative interfaces.