Anevia Flamingo XL 3.2.9 Remote Root Jailbreak via Traceroute Command

Advisories

severity: high
date: December 30, 2025
Affecting: Flamingo XL 3.2.9
CVE: CVE-2024-58338
CWE: CWE-266 Incorrect Privilege Assignment
CVSS: 8.6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-51516
Ateme Vendor Homepage
Zero Science Lab Disclosure (ZSL-2023-5780)
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: Anevia Flamingo XL 3.2.9 contains a restricted shell vulnerability that allows remote attackers to escape the sandboxed environment through the traceroute command. Attackers can exploit the traceroute command to inject shell commands and gain full root access to the device by bypassing the restricted login environment.