The Aviatrix Controller cloud networking platform has attracted active exploitation in the wild to deploy backdoors and cryptocurrency miners. Cloud security firm Wiz released a note stating it’s currently taking care of “multiple incidents” involving the weaponization of CVE-2024-50603 (CVSS score: 10.0), a code injection vulnerability that could result in unauthenticated remote code execution.
The flaw resides with certain API endpoints, which, being misconfigured, fail to sanitize user input, which ultimately, upon being exploited by a malicious actor, could allow remote code execution. CVE-2024-50603 has been addressed in versions 7.1.4191 and 7.2.4996.
The proof of concept has been made public by the researcher Jakub Korepta and can be found here. Jakub works as a security researcher at a Polish cybersecurity company called Securing.
Wiz researchers Gal Nagli, Merav Bar, Gili Tikochinski, and Shaked Tanchuma mentioned, “When deployed in AWS cloud environments, Aviatrix Controller allows privilege escalation by default, making exploitation of this vulnerability a high-impact risk.” As per the study, around 3% of cloud enterprise installations deployed Aviatrix Controller, and 65% of them demonstrated a lateral movement path to administrative cloud control plane permissions, allowing for privilege escalation in the cloud environment.
The attackers are leveraging CVE-2024-50603 with the initial access to target instances to mine cryptocurrency using XMRig and deploying the Silver command-and-control (C2) framework for persistence and exploitation. Customers or users having Aviatrix deployments are advised to apply the patches as soon as possible and prevent public access to Aviatrix Controller.
