Critical Aviatrix RCE Flaw Exposed: How Attackers are Targeting the Cloud

A newly discovered vulnerability, CVE-2024-50603, has raised alarms with its maximum CVSS score of 10, allowing attackers to execute remote code without authentication—an exploit they're already leveraging to deploy malware.

Cybercriminals are actively exploiting the critical vulnerability in the Aviatrix Controller, a centralised management platform widely used for cloud networking. This newly disclosed flaw, CVE-2024-50603, carries the highest severity rating on the CVSS scale, making it a prime target for attackers. If exploited, the bug allows unauthenticated remote access, allowing attackers to execute arbitrary commands and potentially take full control of the system.

The vulnerability has already been linked to active attacks, with malicious actors deploying the XMRig cryptomining malware and the Sliver backdoor to compromised systems. These tools can siphon valuable resources and provide persistent access to attackers.

Why CVE-2024-50603 is Especially Concerning

The risk posed by this vulnerability is amplified in Amazon Web Services (AWS) environments, where the Aviatrix Controller often enables privilege escalation by default. Security researchers from Wiz have highlighted that approximately 3% of enterprise cloud setups deploy Aviatrix Controller, and in 65% of these environments, attackers could exploit lateral movement paths to escalate to administrative cloud permissions. This makes the vulnerability a high-stakes issue for organisations relying on cloud services.

Aviatrix’s platform is a critical tool for hundreds of large organisations managing multi-cloud environments, including AWS, Azure, and Google Cloud. It plays a key role in automating cloud infrastructure, enforcing security policies, and managing network encryption and connectivity. Among its customers are prominent companies like Heineken, Raytheon, Yara, and IHG Hotels and Resorts.

The root cause of CVE-2024-50603 lies in a failure of Aviatrix Controller to properly validate data passed through its application programming interface (API). Common risks associated with APIs often include misconfigurations, poor visibility, and insufficient security testing, all of which can open the door to potential exploitation.

The vulnerability affects all supported versions of Aviatrix Controller prior to 7.2.4996 or 7.1.4191. To address the issue, Aviatrix has released a patch and advises organisations to either apply the fix or upgrade to the specified versions. However, the company has cautioned that under certain conditions, the patch may not remain persistent across controller upgrades and might need to be reapplied. This is particularly true when applying the patch to unsupported versions of the software, as noted by Aviatrix.

Cloud Exploits on the Rise

A security researcher from SecuRing discovered and reported the flaw to Aviatrix, which publicly disclosed the vulnerability on January 7th. Within just 24 hours, a proof-of-concept exploit was uploaded to GitHub, sparking a wave of exploit activity almost immediately. 

Since the release of the proof-of-concept exploit, attackers have been actively scanning the internet for unpatched Aviatrix deployments, primarily using automated tools, according to Alon Schindel, Vice President of AI & Threat Research at Wiz. While most exploitation attempts have been opportunistic and broad, a few cases suggest higher sophistication.

Multiple threat actors, including criminal groups, are leveraging the flaw, with no single group dominating the activity. Depending on the setup, attackers could exfiltrate data, access connected systems, or disrupt operations. Many organisations have started patching their systems, reducing their vulnerability to these attacks.

The Aviatrix vulnerability serves as a reminder of the growing risks tied to APIs and the need for testing and governance of third-party software. While many organisations have applied the emergency patch released in November 2024, those that haven't remain prime targets for attackers.

Experts urge swift patching, network restrictions, and close monitoring of system activity to mitigate risk. Aviatrix continues to assist customers in securing their systems and recovering from potential exploits, emphasising the importance of proactive security measures.