A critical code execution flaw in the Aviatrix Controller with a 10.0 CVSS score has been exploited in the wild, resulting in cryptojacking and backdoor deployment.
After a proof-of-concept was published, Wiz researchers said in a Jan. 11 post that it’s especially serious because Aviatrix Controllers are a "prime target" of threat actors since they manage and connect multi-cloud environments, and have high-level privileges.
“Based on our data, around 3% of cloud enterprise environments have Aviatrix Controller deployed,” wrote the Wiz researchers. “However, our data shows that in 65% of such environments, the virtual machines hosting Aviatrix Controller has a lateral movement path to administrative control plane permissions.”
The Wiz researchers added that this lateral movement makes Aviatrix Controller a vulnerable target for threat actors who aim to move laterally and escalate their privileges in the cloud environment once they gain initial access to the controller via the exploitation of the RCE.
Former NSA cyber expert Evan Dornbush, explained that the flaw — CVE-2024-50603 — exists in an API endpoint and lets an unauthenticated party transmit malicious instructions to the vulnerable server. An API endpoint is the digital location where an API receives API calls and delivers responses.
“In terms of danger to organizations, those malicious instructions could result in the theft of proprietary data, denial or degradation of service, deployment of malware, or even full compromise of the vulnerable server,” said Dornbush. “Aviatrix has issued a patch, and now the classic race is on: adversaries can build an exploit for the vulnerability based on researching the patch, so owner/operators are advised to mitigate promptly.”
Ray Kelly, a fellow at BlackDuck, added that developers often assume that APIs are hidden or immune to common web application attacks, but this example highlights how attackers can compromise a server through a simple web call.
“Thoroughly testing APIs is challenging due to their size, complexity, and the interdependence of chained calls,” said Kelly. “However, comprehensive security testing is essential, as neglecting it can lead to catastrophic consequences.”
James Scobey, chief information security officer at Keeper Security, said in AWS environments, this vulnerability poses an even greater risk because Aviatrix Controller often has elevated IAM permissions by default, enabling attackers to escalate privileges and potentially compromise the cloud control plane.
“A PoC exploit is now public, and threat actors are actively leveraging it to deploy cryptojacking malware and backdoors,” said Scobey. “Patching immediately to versions 7.1.4191 or 7.2.4996 is non-negotiable.”
Meny Har, co-founder and CEO at Opus Security, added that the potential impact of this flaw is significant because an attacker exploiting this vulnerability could gain extensive access to organizational resources and potentially cause substantial damage or potentially have access to privileged data.
“With regards to patching, a patch has indeed been made available to address this vulnerability,” said Har. “However, the urgency now is for security teams to implement this patch across all affected environments promptly. Since there’s evidence of this vulnerability being actively exploited, the associated risks significantly increases and this necessitates immediate action to secure the impacted environments.”
