• Vulnerable U
  • Posts
  • Attackers Target Aviatrix CVE-2024-50603 Flaw

Attackers Target Aviatrix CVE-2024-50603 Flaw

Author

Newsroom
January 21, 2025

Attackers are using a recently disclosed critical vulnerability in the Aviatrix Controller cloud networking platform in targeted attacks, and CISA has just added the bug to its Known Exploited Vulnerabilities catalog. The flaw has been public for two weeks and there is a proof-of-concept exploit available, raising the level of concern for the attacks. 

Why It Matters: The vulnerability (CVE-2024-50603) is a critical unauthenticated remote code execution bug in all supported versions of Aviatrix Controller prior to 7.2.4996 or 7.1.4191. Attackers have been targeting the bug for a few days now, and researchers have identified several different actors attempting to exploit it. “Immediately following the publication of the exploit, Wiz Research identified evidence of successful exploitation of this vulnerability across several cloud environments. In all observed instances, the infected machines were publicly exposed, confirmed as vulnerable to CVE-2024-50603, and not vulnerable to CVE-2021-40870 (the last known RCE vulnerability affecting Aviatrix Controller), which leads us to conclude with high confidence that the attackers gained access to these machines via exploitation of the recent RCE,” an analysis by Wiz researchers says. 

Key Details

  • Aviatrix disclosed the vulnerability on Jan. 7 and released a patch that addresses the issue

  • On Jan, 8, a PoC exploit was published, and researchers began seeing exploitation attempts right away

  • “A vulnerability could allow an unauthenticated user to execute arbitrary command against Aviatrix Controllers. Aviatrix has seen indications that bad actors are attempting to exploit this vulnerability, and strongly recommends that you take action to protect your controllers,” the company’s advisory says. 

  • The Aviatrix patch is not persistent in all circumstances, even if the Controller status says it’s patched. Specifically, if the patch was first applied to a version prior to 7.1.4191 or 7.2.4996, the Controller is subsequently updated to a version prior to 7.1.4191 or 7.2.4996, or the Controller does not have an associated CoPilot running version 4.16.1 or higher.

  • CISA added this bug to its KEV catalog on Jan. 16

What to Do Now: PATCH. The all caps is not a typo. There is a PoC exploit, the details of the vulnerability are public, and the vulnerable app is a very high-value target.