Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603)

Jan. 13, 2025, 4:45 p.m.

Description

A critical code execution vulnerability, CVE-2024-50603, affecting Aviatrix Controller has been observed being exploited in the wild. This unauthenticated remote code execution flaw allows attackers to execute arbitrary commands on the system, potentially leading to privilege escalation in AWS environments. Exploitation has resulted in cryptojacking and backdoor deployment. The vulnerability stems from improper handling of user-supplied parameters in the API. Around 3% of cloud enterprise environments have Aviatrix Controller deployed, with 65% of these having lateral movement paths to administrative cloud control plane permissions. Urgent patching and forensic investigation are recommended to mitigate risks.

Date

  • Created: Jan. 13, 2025, 4:35 p.m.
  • Published: Jan. 13, 2025, 4:35 p.m.
  • Modified: Jan. 13, 2025, 4:45 p.m.

Linked vulnerabilities

Indicators

  • e638db05332e0beb528ca1f742094c54853fe347fe76e5a678f891e318104c8d
  • e0a4c5dbb6c10b7be03336b4d17ee56401f2a29263683093b8cd19c813acad37
  • 91.193.19.109
  • 107.172.43.186
  • http://91.193.19.109:13333
  • http://107.172.43.186:3939

Attack Patterns

  • Sliver
  • XMRig
  • T1571
  • T1082
  • T1105
  • T1496
  • T1102
  • T1219
  • T1190
  • T1133
  • T1078
  • T1059
  • CVE-2021-40870
  • CVE-2025-0283
  • CVE-2025-0282
  • CVE-2024-50603