Critical Vulnerability in Aviatrix Controller Exploited for Malicious Activities
A recently uncovered severe security vulnerability in the Aviatrix Controller, a cloud networking platform, has drawn significant attention due to its active exploitation in the wild. Security firm Wiz has reported ongoing incidents where attackers are leveraging this critical flaw to install backdoors and deploy cryptocurrency mining software, raising alarms within the cybersecurity community.
The vulnerability, identified as CVE-2024-50603, has been assigned a maximum CVSS score of 10.0, signifying its potential for unauthenticated remote code execution. This flaw stems from inadequately sanitized user input in specific API endpoints, allowing attackers to inject malicious operating system commands. Aviatrix has since addressed the issue with patches in its software versions 7.1.4191 and 7.2.4996.
Jakub Korepta, a researcher from Polish cybersecurity firm Securing, was instrumental in discovering and disclosing the vulnerability. Following the disclosure, a proof-of-concept exploit has been made publicly available, further elevating the urgency for immediate remediation.
Data indicates that approximately 3% of cloud enterprise environments utilize the Aviatrix Controller, with a concerning 65% of these environments exhibiting potential pathways for lateral movement within administrative cloud controls. This aspect raises the stakes for privilege escalation attacks, especially in AWS cloud deployments where exploitation of this vulnerability poses a significant risk.
Real-world attacks associated with CVE-2024-50603 have employed initial access to targeted instances to facilitate cryptocurrency mining using XMRig, accompanied by the deployment of the Sliver command-and-control framework. Although conclusive evidence of lateral movement within affected cloud environments has yet to surface, researchers at Wiz have expressed concerns that attackers could be enumerating cloud permissions and attempting data exfiltration.
In response to these developments, Wiz has recommended immediate application of the available patches and advised restricting public access to the Aviatrix Controller to mitigate risks.
Aviatrix acknowledged the critical nature of this security issue, confirming it was alerted to the vulnerability in late October and issued hot patches in early November. Notably, the company highlighted that customers on versions 6.7 and above, who have installed the security patch, can maintain protection even if they have not yet upgraded to the latest software versions.
In a further commitment to security, Aviatrix has conducted outreach campaigns to assist customers in applying these critical updates before the public disclosure of the vulnerability on January 7th. The company aims for comprehensive coverage, ensuring that a significant portion of its customer base has been secured and their configurations reinforced.
This vulnerability has also captured the attention of U.S. government agencies, as the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-50603 to its Known Exploited Vulnerabilities catalog on January 16, 2025. Federal Civilian Executive Branch agencies are now required to implement fixes by February 6, 2025.
In summary, the exploitation of the Aviatrix Controller highlights the ongoing risks associated with cloud security vulnerabilities. As cyber adversaries continue to evolve their tactics, including initial access, persistence, and privilege escalation, it becomes increasingly imperative for organizations to remain vigilant and proactive in safeguarding their digital infrastructures.
