CVE-2026-60121

VITEC · Flamingo

Vitec Flamingo 4.12.2 contains an unauthenticated OS command injection vulnerability in the admin/ajax/ping.php endpoint due to improper shell argument handling.

Executive summary

A critical unauthenticated OS command injection vulnerability exists in Vitec Flamingo 4.12.2, allowing remote attackers to execute arbitrary commands with root privileges.

Vulnerability

This is an OS command injection vulnerability (CWE-78) occurring in the admin/ajax/ping.php endpoint. The application fails to properly sanitize user-supplied input, leading to a double-evaluation flaw where an attacker can execute arbitrary commands via passwordless sudo.

Business impact

This vulnerability carries a CVSS score of 9.8, reflecting its potential for total system compromise. Successful exploitation grants an attacker full root-level control over the affected appliance, which may lead to complete data exfiltration, permanent service disruption, and the potential for the device to be used as a pivot point within the internal network.

Remediation

Immediate Action: Identify and isolate all instances of Vitec Flamingo 4.12.2 from public-facing networks until a vendor-supplied patch is applied.

Proactive Monitoring: Monitor network traffic for unusual POST requests to the /admin/ajax/ping.php endpoint and review system logs for unexpected execution of shell commands.

Compensating Controls: Implement a Web Application Firewall (WAF) rule to block or sanitize requests containing shell metacharacters directed at the identified endpoint.

Exploitation status

Public Exploit Available: No (Exploit_available: unknown)

Analyst recommendation

Given the critical severity and the existence of a proof-of-concept, users must prioritize the deployment of vendor-supplied security updates. Organizations should ensure that the affected systems are not exposed to the public internet and verify that access controls are strictly enforced for administrative interfaces.