CVE-2024-58338

Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through the traceroute command. Attackers can exploit the traceroute command to inject shell commands and gain full root access to the device by bypassing the restricted login environment.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.ateme.com	Product
https://www.exploit-db.com/exploits/51516	Exploit Third Party Advisory
https://www.vulncheck.com/advisories/anevia-flamingo-xl-remote-root-jailbreak-via-traceroute-command	Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php	Third Party Advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:ateme:flamingo_xl_firmware:3.2.9:*:*:*:*:*:*:*

cpe:2.3:h:ateme:flamingo_xl:-:*:*:*:*:*:*:*

History

16 Jan 2026, 19:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~9.8~~	v2 : unknown v3 : 10.0

14 Jan 2026, 14:16

Type	Values Removed	Values Added
CWE	~~CWE-266~~

13 Jan 2026, 21:16

Type	Values Removed	Values Added
CWE		CWE-78
First Time		Ateme Ateme flamingo Xl Ateme flamingo Xl Firmware
CPE		cpe:2.3:o:ateme:flamingo_xl_firmware:3.2.9:::::::* cpe:2.3:h:ateme:flamingo_xl:-:::::::*
References	~~() https://www.ateme.com -~~	() https://www.ateme.com - Product
References	~~() https://www.exploit-db.com/exploits/51516 -~~	() https://www.exploit-db.com/exploits/51516 - Exploit, Third Party Advisory
References	~~() https://www.vulncheck.com/advisories/anevia-flamingo-xl-remote-root-jailbreak-via-traceroute-command -~~	() https://www.vulncheck.com/advisories/anevia-flamingo-xl-remote-root-jailbreak-via-traceroute-command - Third Party Advisory
References	~~() https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php -~~	() https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php - Third Party Advisory

02 Jan 2026, 15:15

Type	Values Removed	Values Added
References	~~() https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php -~~	() https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php -

30 Dec 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-30 23:15

Updated : 2026-01-16 19:16

NVD link : CVE-2024-58338

Mitre link : CVE-2024-58338

CVE.ORG link : CVE-2024-58338

JSON object : View

Products Affected

ateme

flamingo_xl
flamingo_xl_firmware

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

10.0 /10