CVE-2026-61498
VITEC · Flamingo
Vitec Flamingo 4.12.2 is susceptible to unauthenticated OS command injection via the admin/ajax/gen_graphs.php endpoint due to insufficient input sanitization.
Executive summary
A critical unauthenticated OS command injection vulnerability in Vitec Flamingo 4.12.2 allows remote attackers to gain root-level code execution.
Vulnerability
The application suffers from OS command injection (CWE-78) within the admin/ajax/gen_graphs.php script. Unauthenticated attackers can inject malicious shell metacharacters into multiple HTTP GET parameters, which are then passed to a system passthru() call with root privileges.
Business impact
With a CVSS score of 9.8, this vulnerability poses an extreme risk to infrastructure security. An attacker can achieve complete system takeover, potentially leading to the compromise of sensitive IPTV distribution configurations and persistent unauthorized access to the underlying operating system.
Remediation
Immediate Action: Update the affected VITEC Flamingo software to the latest version provided by the vendor.
Proactive Monitoring: Audit web server logs for suspicious GET requests containing shell special characters targeting the gen_graphs.php script.
Compensating Controls: Deploy WAF rules to filter out requests containing shell syntax or unexpected characters in the start, end, key, or format parameters.
Exploitation status
Public Exploit Available: No (Exploit_available: unknown)
Analyst recommendation
The severity of this issue necessitates immediate attention. Administrators must verify their software version and apply the vendor's recommended security patches as soon as they are released to prevent potential exploitation of the command injection vector.