A severe vulnerability in the Aviatrix Controller has left several cloud deployments compromised, putting sensitive data at risk. The CVE-2024-50603 bug allows for remote code execution (RCE) and default deployments of Aviatrix Controller in AWS allow for privilege escalation, making it a prime target for threat actors.
Researchers at Wiz have discovered that the vulnerability has already been exploited by attackers, leading to malware deployment and cryptojacking. The malicious activities involve Silver backdoors for persistent access and XMRig, a common tool used in cloud compromises.
The exploit was made public just one day after its initial disclosure, leaving defenders with inadequate time to apply patches. Aviatrix Controller is used by approximately 3% of all AWS customers, but 65% of these environments have a lateral movement path that allows attackers to gain admin permissions.
Aviatrix has released a patch for vulnerable controllers, but it may need to be reapplied in certain circumstances. Users are advised to upgrade to version 7.2.4996, which is not vulnerable to the bug, and prevent public access to the controller via port 443 if possible.
The exploit highlights the importance of timely patching and secure configuration of cloud services. As the threat actors gather cloud permissions for data exfiltration, extortion could become a factor if left unaddressed.
Source: https://www.theregister.com/2025/01/13/severe_aviatrix_controller_vulnerability