Aviatrix Controller RCE CVE-2024-50603 Exploited in the Wild: Cryptojacking and Backdoors Deployed

A critical Remote Code Execution (RCE) vulnerability, CVE-2024-50603, has been identified in Aviatrix Controller, with the maximum CVSS score of 10.0. According to Wiz Research, this flaw has already been exploited in the wild, leading to cryptojacking and backdoor deployments.

“The vulnerability resides in the improper handling of user-supplied parameters in the Aviatrix Controller’s API,” explains the Wiz Research report. This flaw enables attackers to inject malicious commands, leading to a complete system takeover. Worryingly, “in 65% of [cloud] environments, the virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions.” This means attackers can leverage this vulnerability to not only compromise the controller itself but also potentially gain access to sensitive cloud resources.

The vulnerability was disclosed on January 7, 2025, accompanied by a detailed blog post explaining the exploit. A publicly available proof-of-concept followed on January 8, 2025. Almost immediately, exploitation of CVE-2024-50603 is already occurring in the wild. Wiz Research observed attackers deploying cryptocurrency miners (XMRig) and backdoors (Sliver) on compromised systems. “While we have yet to see direct evidence of cloud lateral movement,” the report states, “we do believe it likely that threat actors are utilizing the vulnerability to enumerate the cloud permissions of the host and then pivot to exfiltrating data from the victims’ cloud environments.”

Aviatrix has released patched versions (7.1.4191 and 7.2.4996), and organizations using Aviatrix Controller are strongly urged to update immediately. Additionally, restricting public access to the controller can significantly reduce the attack surface.

Rate this post

Leave a Reply Cancel reply

Website

Related Posts:

Leave a Reply Cancel reply