Threat actors are exploiting a critical remote command execution vulnerability, tracked as CVE-2024-50603, in Aviatrix Controller instances to install backdoors and crypto miners.
The Aviatrix Controller, part of the Aviatrix Cloud Networking Platform, enhances networking, security, and operational visibility for multi-cloud environments. It is used by enterprises, DevOps teams, network engineers, cloud architects, and managed service providers.
Discovered by Jakub Korepta on October 17, 2024, CVE-2024-50603 is caused by inadequate use of input sanitization functions in some API actions, allowing attackers to inject malicious commands into system-level operations.
This allows threat actors to use specially crafted API requests to achieve remote command execution without authentication.
The flaw impacts all versions of Aviatrix Controller from 7.x through 7.2.4820. Users are recommended to upgrade to either 7.1.4191 or 7.2.4996, which addresses the CVE-2024-50603 risk.
Active exploitation in the wild
Wiz Research reports that a proof-of-concept (PoC) exploit released on GitHub on January 8, 2025, has fueled the exploitation of CVE-2024-50603 in the wild.
Hackers are leveraging the flaw to plant Sliver backdoors and perform unauthorized Monero cryptocurrency mining using XMRig (cryptojacking).
Wiz says that although only a small percentage of cloud enterprise environments have Aviatrix Controller deployments, most of them constitute a risk for lateral network movement and privilege escalation.
“Based on our data, around 3% of cloud enterprise environments have Aviatrix Controller deployed,” explains Wiz.
“However, our data shows that in 65% of such environments, the virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions.”
Wiz notes that there is no evidence of the attackers performing lateral movement, but they believe the threat actors utilize CVE-2024-50603 to enumerate the host’s cloud permissions and explore data exfiltration opportunities.
Fixes available
Aviatrix recommends that impacted users upgrade to Aviatrix Controller version 7.1.4191 or 7.2.4996, which includes fixes for the vulnerability.
Additionally, it’s noted that the patch must be re-applied if it was applied to a version prior to 7.1.4191 or 7.2.4996, if the Controller is later upgraded to a version prior to 7.1.4191 or 7.2.4996, or the Controller does not have an associated CoPilot running version 4.16.1 or higher.
Impacted users must also ensure that the Controller does not expose port 443 to the internet and that they minimize attack surface by following the recommended Controller IP access guidelines.