Critical vulnerability reported in Aviatrix Controllers and is under active exploitation

A critical vulnerability in Aviatrix Controllers has been disclosed and is currently under active exploitation. The Aviatrix Controller is a software platform that manages connectivity for cloud and hybrid networks, providing programmatic control over native networking and security features of cloud providers like AWS, Azure, and Google Cloud.

The vulnerability is tracked as CVE-2024-50603 (CVSS score 9.9) and allows unauthenticated remote code execution by exploiting improperly sanitized API endpoints, specifically in the cloud_type parameter of certain API functions. The flaw has a published exploit PoC.

Security researchers have confirmed active exploitation attempts in the wild, with attackers deploying cryptocurrency miners (XMRig) and the Sliver command-and-control framework for persistence.

The flaw allows unauthenticated attackers to execute arbitrary commands on Aviatrix Controllers. It affects approximately 3% of cloud enterprise environments using Aviatrix Controller, and 65% of affected deployments show potential lateral movement paths to administrative cloud permissions.

When deployed in AWS, the Controller allows privilege escalation by default. Current exploitation attempts focus on cryptocurrency mining and maintaining persistent access

Affected Products are all supported versions of Aviatrix Controller prior to:

• Version 7.1.4191
• Version 7.2.4996

Remediation Steps:

1. Update to either version 7.1.4191 or 7.2.4996
2. Apply security patch CVE-2024-50603
3. Follow Controller IP Access guidance to restrict port 443 exposure
4. Note: The patch may need to be reapplied after controller upgrades under certain conditions