HQ/EMEAFind out how we can help your business
The remote code execution flaw in the Aviatrix Controller instances has an ongoing exploit that allows attackers to install backdoors and cryptominers on targeted cases.
The bug in question is CVE-2024-50603, which affects one of Aviatrix’s Networking Platform components. These components improve network security and operational visibility in multi-cloud systems. Researchers discovered the flaw in October last year and claimed it was caused by a failure to apply input sanitisation methods in specific API actions.
This weakness allows threat actors to inject malicious commands into system-level operations and utilise specially crafted API requests to run remote commands without authentication. As of now, the issue impacts all Aviatrix Controller versions, from 7.x to 7.2.4820.
A PoC exploit for the Aviatrix Controller flaw has started the widespread abuse.
According to reports, a proof-of-concept vulnerability uploaded to GitHub earlier this month has started the widespread exploitation of the Aviatrix Controller vulnerability.
Threat actors exploit the bug by installing Sliver backdoors and engaging in unauthorised Monero cryptocurrency mining with XMRig. Despite Aviatrix Controller deployments being present in a tiny percentage of cloud enterprise environments, most pose a risk of lateral network movement and privilege escalation.
Further research also claimed that the affected entity is employed in at least 3% of cloud enterprise setups. Still, the assessment indicates that in 65% of such systems, the virtual machine hosting the exploited entity has a lateral movement path to administrative cloud control plane rights.
However, the researchers said there was no evidence of the attackers moving laterally. Still, they suspect the threat actors are using the bug to enumerate the host’s cloud permissions and investigate potential data exfiltration.
Aviatrix recommends that impacted customers adopt their patch, which addresses issues such as upgrading to Aviatrix Controller versions 7.1.4191 or 7.2.4996.
Impacted users must verify that the Controller does not expose port 443 to the internet and that they minimise the attack surface by adhering to the appropriate Controller IP access policies.
