background

CVE-2026-61498: Unauthenticated Command Injection via the `/admin/ajax/gen_graphs.php` Endpoint

Published 11 juillet 2026
CVSS 9.8
Vitec
Flamingo
4.12.2
Executive summaryAn OS command injection vulnerability exists in the gen_graphs.php component of the Vitec Flamingo device. The start, end, key, and format HTTP GET parameters are incorporated into a shell command without proper neutralization of special characters before being passed to passthru(). The affected endpoint does not require authentication, allowing a remote unauthenticated attacker to execute arbitrary operating system commands. Because the web server context has passwordless sudo access to root privileges on the affected device, successful exploitation can result in arbitrary command execution with root privileges, leading to full system compromise.

Context

The Vitec Flamingo device exposes the gen_graphs.php endpoint, which is responsible for generating graphical representations of monitoring data using RRDTool. The endpoint accepts several user-controlled parameters that are subsequently incorporated into shell commands executed on the underlying operating system.

Attack Vectors

  • Network Access: Remote
  • Authentication Required: None
  • User Interaction: None
  • Injection Point: HTTP GET parameters

Vulnerability Details

The endpoint /gen_graphs.php accepts multiple GET parameters, including start, end, key, and format.

gen_graphs.php EndpointFigure 1 : gen_graphs.php Endpoint

The script collects these parameters and stores them in the $params array before loading the appropriate graph generation script:

Code$params = [
  'type' => @$_GET['type'],
  'key'  => @$_GET['key'],
];
...
$params[$param] = array_key_exists($param, $_GET)
  ? $_GET[$param]
  : $default_value;

The selected graph generation script subsequently uses these user-supplied values to construct shell commands that are executed through passthru(). The parameters are incorporated into the command line without proper neutralization of shell metacharacters.

The gen_graphs.php file include filepath constructed with unsanitized user inputs so we can control the file to be included as long as it ends with .inc.php: Unsantize user inputs to build filepathFigure 2 : Unsantize user inputs to build filepath

Then the function generate_function is called from that particular file included: Unsanitize user inputs to build cmd commandFigure 3 : Unsanitize user inputs to build cmd command

The generateImage function is then called and uses passthru() without any verifications: Unsafe passthru() UsageFigure 4 : Unsafe passthru() Usage

Because the application fails to validate or escape the start, end, key, and format parameters before passing them to the shell, an attacker can inject arbitrary operating system commands.

Furthermore, the endpoint does not enforce authentication. As a result, a remote unauthenticated attacker can directly reach the vulnerable functionality and trigger command execution.

On affected devices, the web server context has passwordless sudo permissions, causing injected commands to execute with root privileges.

Proof of Concept (PoC)

To exploit the vulnerability:

  1. Send a request to /gen_graphs.php.
  2. Supply a malicious payload in one of the vulnerable parameters (start, end, key, or format).
  3. The graph generation routine will invoke passthru(), causing the injected command to be executed by the operating system.

RCE PoCFigure 5 : RCE PoC

The injected command is then executed on the device with root privileges.

Risk and Impact

Successful exploitation of this vulnerability may lead to significant impacts, including:

  • Execution of arbitrary operating system commands.
  • Unauthenticated remote code execution.
  • Execution with root privileges via passwordless sudo.
  • Full compromise of the affected device.
  • Installation of persistent backdoors, theft of sensitive information, or use of the device as a pivot point for lateral movement within the network.

Unlike authentication bypass vulnerabilities, exploitation only requires sending a crafted HTTP request to the exposed endpoint. The root cause is the incorporation of untrusted input into shell commands executed via passthru() without proper sanitization.

Authors

  • Yassine Damiri
  • Adam Outikni
© 2023 Yassine Damiri. All Rights Reserved.
AboutPrivacy PolicyContact