From Bypass to Root: Mandiant Red Team Exploits CVE-2025-2171 and CVE-2025-2172 in Aviatrix Cloud Controller

Mandiant successfully breached a fully patched instance of the Aviatrix Controller—a central component in Software-Defined Networking (SDN) architectures—by chaining together multiple vulnerabilities and exploiting weak architectural decisions. The attack culminated in root-level remote code execution and cloud pivoting into AWS infrastructure, leveraging two new CVEs:

• CVE-2025-2171 (CVSS 7.8) — Authentication bypass
• CVE-2025-2172 (CVSS 6.6) — Authenticated command injection via unsafe argument handling

“This confirmed our successful exploitation of a fully patched Aviatrix Controller, via Authentication Bypass, Unsafe File Upload, and Argument Injection,” the report states.

Aviatrix serves as a centralized control plane for multi-cloud networking, with its Controller component being the brain behind gateway orchestration across AWS, Azure, and Google Cloud. Hosted on AWS and seemingly hardened, the instance analyzed by Mandiant offered minimal attack surface—until the team started reverse engineering it.

The controller was found to use a hybrid architecture:

• A PHP front-end parses HTTP requests
• A PyInstaller-packed Python 3.10 binary, cloudxd, handles backend logic via sudo calls

CVE-2025-2171: Authentication Bypass via Weak Token Entropy

Mandiant discovered that Aviatrix’s password reset mechanism generated 6-digit tokens (ranging from 111111 to 999999), with no rate-limiting protections in place.

“The password reset token entropy was too weak to be effective… shy of 900,000 candidates,” the report explains.

Armed with this knowledge and some scripting, Mandiant ran a brute-force attack every 15 minutes (the token expiry window), eventually compromising the default admin account.

“After 16 hours and 23 minutes, we got a match.”

CVE-2025-2172: Command Injection via Filename Smuggling

Access to the admin panel wasn’t the end—it was the beginning of a more severe escalation. The Red Team discovered that the file upload function allowed tabs in filenames and that these filenames were later passed into shell commands using shlex.split()—a dangerous combo.

“By adding tab characters to uploaded filenames, it would therefore be possible to smuggle command line arguments to the shell interpreter.”

With carefully crafted filenames, Mandiant smuggled arguments into the cp command and ultimately overwrote the root user’s crontab, injecting a malicious job to call back every minute.

“Within a minute, and every minute after that, we got a curl callback… The execution context was also under root.”

From this privileged position inside the controller, the team accessed the AWS Instance Metadata Service (IMDSv2) to obtain cloud credentials. Through AWS STS, they assumed elevated roles and gained access to:

• EC2 instance management
• S3 bucket access
• Full AWS cloud control

Patches have been released in Aviatrix Controller versions 8.0.0, 7.2.5090, and 7.1.4208.

Admins are urged to immediately update to these versions and audit token-based authentication and file handling logic in their environments.

Related Posts:

• CVE-2024-50603 (CVSS 10): Critical Command Injection Vulnerability in Aviatrix Controller
• Aviatrix Controller RCE CVE-2024-50603 Exploited in the Wild: Cryptojacking and Backdoors Deployed
• New Phishing Campaign Targets AWS Accounts: Security Experts Warn
• Unauthenticated RCE in Mitel SIP Phones (CVSS 9.8) Detailed with PoC Exploit

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy