A critical remote command execution vulnerability (CVE-2024-50603) has been exploited in the wild, allowing hackers to install backdoors and crypto miners in Aviatrix Controller instances. The flaw was discovered on October 17, 2024, and affects all versions of Aviatrix Controller from 7.x through 7.2.4820.
Threat actors are using specially crafted API requests to achieve remote command execution without authentication, enabling them to plant Sliver backdoors and perform unauthorized Monero cryptocurrency mining using XMRig (cryptojacking). Although only a small percentage of cloud enterprise environments have Aviatrix Controller deployments, most of these environments constitute a risk for lateral network movement and privilege escalation.
Aviatrix recommends that impacted users upgrade to either 7.1.4191 or 7.2.4996, which addresses the CVE-2024-50603 risk. Additionally, users must ensure that the Controller does not expose port 443 to the internet and minimize their attack surface by following recommended IP access guidelines.
The exploitation of this vulnerability has been fueled by a proof-of-concept (PoC) exploit released on GitHub on January 8, 2025. Wiz Research reports that the threat actors are utilizing the flaw to enumerate the host’s cloud permissions and explore data exfiltration opportunities, despite no evidence of lateral movement.
Source: https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-aviatrix-controller-rce-flaw-in-attacks