Pierluigi Paganini
January 17, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical Aviatrix Controllers OS Command Injection vulnerability, tracked as CVE-2024-50603 (CVSS score of 10) to its Known Exploited Vulnerabilities (KEV) catalog.
The flaw impacts Aviatrix Controller pre-7.1.4191 and 7.2.x pre-7.2.4996, it allows unauthenticated attackers to execute arbitrary code via improper command neutralization in the API.
The vulnerability is caused by the improper neutralization of user-supplied input, and has been addressed in patched versions 7.1.4191 and 7.2.4996.
The Wiz Incident Response team reported that threat actors are exploiting the flaw in attacks in the wild to deploy backdoors and cryptocurrency miners.
“The Wiz Incident Response team is currently responding to multiple incidents involving CVE-2024-50603, an Aviatrix Controller unauthenticated RCE vulnerability, that can lead to privileges escalation in the AWS control plane.” reads the advisory published by Wiz. “Organizations should patch urgently.”
A proof-of-concept (PoC) exploit is publicly available.
Aviatrix’s PSIRT confirmed the active exploitation of the flaw.
“A vulnerability could allow an unauthenticated user to execute arbitrary command against Aviatrix Controllers.” reads the PSIRT’s advisory. “Aviatrix has seen indications that bad actors are attempting to exploit this vulnerability, and strongly recommends that you take action to protect your controllers.”
In AWS, Aviatrix Controller’s default privilege escalation amplifies the risk of exploitation, enabling cryptojacking and backdoor attacks, per Wiz Research.
According to data gathered by Wiz, around 3% of cloud enterprise environments have Aviatrix Controller deployed. The experts warn that 65% of such environments, the virtual machine hosting Aviatrix Controller, has a lateral movement path to administrative cloud control plane permissions.
Threat actors exploit the vulnerability to mine cryptocurrency with XMRig, deploy Sliver backdoors, and likely enumerate cloud permissions for potential data exfiltration.
“Our investigation of these instances has shown that the threat actors exploiting this vulnerability are abusing their access to mine cryptocurrency using XMRig and deploy Sliver backdoors, presumably for persistence purposes (to avoid losing access if the infected machine is patched).” Wiz concludes.
“While we have yet to see direct evidence of cloud lateral movement, we do believe it likely that threat actors are utilizing the vulnerability to enumerate the cloud permissions of the host and then pivot to exfiltrating data from the victims’ cloud environments.”
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by February 6, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA Known Exploited Vulnerabilities catalog)
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Aviatrix Controller)
