Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603)
Jan. 13, 2025, 4:45 p.m.
Tags
External References
Description
A critical code execution vulnerability, CVE-2024-50603, affecting Aviatrix Controller has been observed being exploited in the wild. This unauthenticated remote code execution flaw allows attackers to execute arbitrary commands on the system, potentially leading to privilege escalation in AWS environments. Exploitation has resulted in cryptojacking and backdoor deployment. The vulnerability stems from improper handling of user-supplied parameters in the API. Around 3% of cloud enterprise environments have Aviatrix Controller deployed, with 65% of these having lateral movement paths to administrative cloud control plane permissions. Urgent patching and forensic investigation are recommended to mitigate risks.
Date
Published: Jan. 13, 2025, 4:35 p.m.
Created: Jan. 13, 2025, 4:35 p.m.
Modified: Jan. 13, 2025, 4:45 p.m.
Indicators
e638db05332e0beb528ca1f742094c54853fe347fe76e5a678f891e318104c8d
e0a4c5dbb6c10b7be03336b4d17ee56401f2a29263683093b8cd19c813acad37
91.193.19.109
107.172.43.186
http://91.193.19.109:13333
http://107.172.43.186:3939
Attack Patterns
Sliver
XMRig
T1571
T1082
T1105
T1496
T1102
T1219
T1190
T1133
T1078
T1059
CVE-2021-40870
CVE-2025-0283
CVE-2025-0282
CVE-2024-50603