background

CVE-2026-60121: Unauthenticated Command Injection via the `/admin/ajax/ping.php` Endpoint

Published 11 juillet 2026
CVSS 9.8
Vitec
Flamingo
4.12.2
Executive summaryA critical command injection vulnerability was discovered in the `admin/ajax/ping.php` endpoint of the Vitec administration interface. Although user input is properly protected using `escapeshellarg()`, the `/usr/share/commands/ping` script reuses this value without escaping before executing it via `shell_exec()`. This flaw allows an unauthenticated attacker to inject arbitrary commands and execute them with root privileges on the server.

Context

The Vitec Flamingo administration interface exposes an endpoint that allows administrators to perform network connectivity tests. This endpoint passes a user-controlled value to a system utility responsible for executing a ping command.

Attack Vectors

  • Network Access: Remote
  • Authentication Required: None
  • User Interaction: None
  • Injection Point: Network endpoint

Vulnerability Details

The endpoint /admin/ajax/ping.php accepts a POST request containing the host parameter, then executes the system wrapper /usr/share/commands/ping as root:

ping.php EndpointFigure 1 : ping.php Endpoint

Before execution, the value of host is properly protected using escapeshellarg(), preventing command injection at this stage.

Code of the /usr/share/commands/ping wrapperFigure 2 : Code of the /usr/share/commands/ping wrapper

The /usr/share/commands/ping wrapper then retrieves this value from $argv[1] and uses it to build a new system command executed via shell_exec(). Unlike ping.php, this second step performs no escaping or additional validation of the user input.

This unsafe reuse results in a second interpretation of the data by the shell, allowing the injection and execution of arbitrary commands with root privileges.

Proof of Concept (PoC)

To exploit the vulnerability:

  1. Send a request to admin/ajax/ping.php.
  2. Provide a malicious value in the host parameter.
  3. The wrapper will execute the injected command when calling shell_exec().

Remote RCE PoCFigure 3 : Remote RCE PoC

The id command is then executed on the server with root privileges.

Risk and Impact

Successful exploitation of this vulnerability may lead to significant impacts, including:

  • Execution of arbitrary commands on the server.
  • Execution with root privileges via sudo.
  • Full compromise of the device hosting the administration interface.
  • The ability to install a backdoor, steal sensitive data, or use the server as a pivot point for lateral movement.
  • No bypass of escapeshellarg() is required: the vulnerability results from a second interpretation of the data by the wrapper.

Authors

  • Yassine Damiri
  • Adam Outikni
© 2023 Yassine Damiri. All Rights Reserved.
AboutPrivacy PolicyContact