Aviatrix Cloud Controller Authentication Vulnerability Let Attackers Execute Remote Code

Two critical vulnerabilities in Aviatrix Controller, a Software-Defined Networking (SDN) utility that enables cloud connectivity across different vendors and regions. 

The vulnerabilities allowed attackers to bypass authentication and execute remote code with root privileges, potentially compromising entire cloud infrastructures.

Summary
1. Two vulnerabilities (CVE-2025-2171 and CVE-2025-2172) in Aviatrix Controller allowed attackers to bypass administrator authentication and execute remote code.
2. Attackers gained root access by exploiting a command injection flaw in the file upload feature, using malicious filenames with tab characters.
3. Successful exploitation granted attackers centralized control over cloud gateways and APIs, potentially leading to a complete cloud environment takeover.
4. Aviatrix released security patches for versions 8.0.0, 7.2.5090, and 7.1.4208, addressing vulnerabilities in Controller versions 7.2.5012 and earlier.

Critical Aviatrix Controller Vulnerabilities

Mandiant security researchers disclosed security flaws, tracked as CVE-2025-2171 and CVE-2025-2172, affected Aviatrix Controller versions 7.2.5012 and prior. 

CVE-2025-2171 represents an administrator authentication bypass vulnerability, while CVE-2025-2172 involves authenticated command injection. 

During a red team engagement, Mandiant researchers discovered that the authentication bypass could be exploited through a weak password reset mechanism. 

The system generated 6-digit password reset tokens ranging from 111,111 to 999,999, creating only 888,888 unique candidates with a 15-minute validity window. 

The researchers successfully brute-forced the administrator account after 16 hours and 23 minutes of continuous attempts.

The Aviatrix Controller architecture consists of a Python 3.10 codebase bundled using PyInstaller, called by a PHP front-end that processes HTTP requests. When users attempt to log in, the system executes commands like:

After gaining initial access, researchers identified a command injection vulnerability in the file upload functionality. 

The system’s upload_file() function allowed attackers to control partial filenames, including tab characters, which could be exploited to smuggle command-line arguments.

The vulnerability exploited the shlex.split() function used by the system to tokenize command strings. 

By uploading files with specially crafted names containing tab characters, attackers could inject additional arguments into shell commands. 

For example, a filename like foobar.foo{TAB}–bar{TAB}–baz would be tokenized as separate command arguments.

Researchers demonstrated the exploit by targeting the Proxy Admin utility’s CA certificate installation feature, which used the cp command to copy uploaded files. 

Through careful argument injection, they overwrote /etc/crontab with malicious content, achieving persistent root access:

Cloud Infrastructure Compromise 

The successful exploitation provided attackers with root access to the Aviatrix Controller, which serves as a centralized component managing cloud gateways and APIs across multiple cloud providers. 

From this position, researchers could query the AWS IMDSv2 endpoint to obtain ephemeral cloud credentials and perform role assumption to gain broader cloud access.

The attack chain demonstrates how compromising the Aviatrix Controller can lead to complete cloud environment takeover, as the controller maintains privileged access to deployed gateways and cloud APIs across different regions and vendors.

Aviatrix released security patches on March 31, 2025, for versions 8.0.0, 7.2.5090, and 7.1.4208, addressing vulnerabilities in Controller versions 7.2.5012 and earlier.

Organizations using affected versions should immediately upgrade to the patched releases to prevent potential compromise of their cloud infrastructure.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial