CVE-2024-58338

CRITICAL

Anevia Flamingo XL 3.2.9 - OS Command Injection via Traceroute Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-58338. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates a jailbreak from a restricted shell environment in Anevia Flamingo XL 3.2.9 by leveraging command injection via the traceroute command, allowing an attacker to escape the sandbox and gain root access.

Description

Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through the traceroute command. Attackers can exploit the traceroute command to inject shell commands and gain full root access to the device by bypassing the restricted login environment.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · textremotehardware
https://www.exploit-db.com/exploits/51516

This exploit demonstrates a jailbreak from a restricted shell environment in Anevia Flamingo XL 3.2.9 by leveraging command injection via the traceroute command, allowing an attacker to escape the sandbox and gain root access.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Anevia Flamingo XL v3.2.9
Auth required
Prerequisites: SSH access to the device · Valid credentials for the restricted shell
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/51516
Product product
https://www.ateme.com
Third Party Advisory third-party-advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php

Scores

CVSS v3 10.0
EPSS 0.0072
EPSS Percentile 48.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (1)
ateme/flamingo_xl_firmware 3.2.9
Published Dec 30, 2025
Tracked Since Feb 18, 2026