Aviatrix Controller RCE Vulnerability Exploited In The Wild

A critical remote code execution (RCE) vulnerability, CVE-2024-50603, has been actively exploited in the wild, posing significant risks to cloud environments.

This vulnerability affects Aviatrix Controller, a widely used cloud networking platform, and has been assigned the maximum CVSS score of 10.0 due to its severe impact and ease of exploitation.

CVE-2024-50603 is a command injection flaw stemming from improper neutralization of user-supplied input in the Aviatrix Controller’s API. Specifically, parameters such as `cloud_type` and `src_cloud_type` in API endpoints like `list_flightpath_destination_instances` and `flightpath_connection_test` are incorporated into command strings without adequate sanitization.

This allows unauthenticated attackers to inject malicious OS commands, leading to arbitrary code execution.

The vulnerability affects Aviatrix Controller versions prior to 7.1.4191 and 7.2.x before 7.2.4996. Patched versions have been released to address the issue, but many systems remain unprotected.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Exploitation In The Wild

The vulnerability was disclosed on January 7, 2025, with a proof-of-concept exploit published the following day. Within hours, cybersecurity firm Wiz Research observed active exploitation across multiple cloud environments.

Threat actors have leveraged this flaw to deploy cryptojacking malware (using XMRig) and Sliver backdoors for persistence.

In all observed cases, attackers targeted publicly exposed Aviatrix Controllers confirmed as vulnerable to CVE-2024-50603.

These incidents occurred between January 7 and January 10, with a surge in attacks following the release of a Nuclei detection template.

Wiz Research highlights that approximately 3% of enterprise cloud environments deploy Aviatrix Controller.

Alarmingly, 65% of these environments allow lateral movement paths from the controller’s virtual machine to cloud control plane permissions.

This is attributed to the default high IAM privileges granted to Aviatrix Controller in AWS environments.

Once attackers gain access via CVE-2024-50603, they can potentially enumerate cloud permissions and escalate privileges within the victim’s cloud environment.

Although direct evidence of lateral movement has not yet been observed, researchers believe it is likely being exploited for data exfiltration or further compromise.

Mitigation Recommendations

Organizations using Aviatrix Controller are urged to take immediate action:

1. Upgrade to Patched Versions: Update to version 7.1.4191 or 7.2.4996 to mitigate the vulnerability.
2. Restrict Network Access: Implement network restrictions to prevent public exposure of Aviatrix Controller.
3. Conduct Forensic Investigations: Analyze potentially compromised systems for signs of malware or unauthorized access.
4. Monitor for Lateral Movement: Assess cloud environments for any unusual activity or privilege escalation attempts.
5. Leverage Security Tools: Use tools like Wiz Threat Center queries to identify vulnerable instances within your environment.

The rapid exploitation of CVE-2024-50603 underscores the critical need for timely patching and proactive security measures in cloud environments.

The vulnerability’s ease of exploitation and potential for privilege escalation makes it a prime target for threat actors seeking to compromise enterprise cloud infrastructures.

As organizations increasingly rely on cloud-native solutions like Aviatrix Controller, maintaining robust security practices—such as minimizing attack surfaces and monitoring for emerging threats—remains essential to safeguarding sensitive data and operations from cyberattacks.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!

The post Aviatrix Controller RCE Vulnerability Exploited In The Wild appeared first on Cyber Security News.