Aviatrix Cloud Controller Flaw Enables Remote Code Execution via Authentication Bypass
A Mandiant Red Team engagement has uncovered two critical vulnerabilities in Aviatrix Controller—cloud networking software used to manage multi-cloud environments.
The flaws enable full system compromise through an authentication bypass (CVE-2025-2171) followed by authenticated command injection (CVE-2025-2172).
Authentication Bypass (CVE-2025-2171)
The attack chain begins with a weak password reset mechanism. Attackers can brute-force 6-digit reset tokens (ranging from 111,111 to 999,999) due to:
- Low entropy: Only 888,888 possible combinations
- No lockout: Failed attempts don’t invalidate tokens
- 15-minute window: Tokens remain valid during brute-forcing
Mandiant demonstrated takeover of the default “admin” account after 16 hours of brute-forcing. Successful exploitation grants administrative access to the controller’s management interface.
Post-Authentication Command Injection (CVE-2025-2172)
After bypassing authentication, attackers leverage the controller’s architecture:
- PHP front-end passes user inputs to a Python back-end (cloudxd) via sudo commands12
- Insufficient sanitization allows parameter injection into privileged system commands2
- Root execution: The cloudxd binary runs with root privileges1
This enables unconstrained remote code execution on the controller, potentially compromising all connected cloud gateways and APIs.
Impact and Mitigation
| Vulnerability | CVSS | Affected Versions | Patched Versions |
| CVE-2025-2171 | 9.9 | ≤7.2.5012 | 8.0.0, 7.2.5090, 7.1.42081 |
Exploitation risks include:
- Cloud environment breach via centralized controller access
- Backdoor deployment and cryptocurrency mining
- Privilege escalation in AWS environments
Aviatrix released patches in January 2025 and recommends:
- Immediate updating to patched versions
- Restricting controller access (disable public port 443 exposure)
- Reapplying patches after controller upgrades due to non-persistent fixes
These vulnerabilities highlight critical risks in cloud management infrastructure, particularly when centralized controllers become high-value targets for initial access brokers.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
