Hackers Exploit Aviatrix Controller Vulnerability to Deploy Backdoors and Crypto Miners
Summary:
Cloud security firm Wiz is currently responding to multiple incidents involving the active exploitation of a recently disclosed critical security flaw, CVE-2024-50603 impacting Aviatrix Controller cloud networking platform. This vulnerability is being leveraged in the wild to deploy backdoors and cryptocurrency miners. The vulnerability carries a maximum CVSS score of 10.0 and could result in unauthenticated remote code execution. Successful exploitation of the flaw could permit an attacker to inject malicious operating system commands because certain API endpoints do not adequately sanitize user-supplied input. The vulnerability has been patched in versions 7.1.4191 and 7.2.4996.
A security researcher at the Polish cybersecurity company Securing has been credited with discovering and reporting the flaw and Proof-of-Concept (PoC) exploit code has been made publicly available. Data gathered by Wiz indicates that 3% of all cloud enterprise environments implement Aviatrix Controller and 65% of those instances have configured their environments to have a lateral movement path to administrative cloud control plane permissions, allowing the attacker to escalate privileges in those cloud environments. In AWS cloud environments, Aviatrix Controller allows privilege escalation by default, increasing the overall risk to an organization’s security posture. Wiz observed that real-world attacks exploiting CVE-2024-50603 are leveraging the initial access to target instances for mining cryptocurrency using XMRig and deploying the Sliver command-and-control (C2) framework, likely for persistence and further exploitation.
Security Officer Comments:
A proof-of-concept exploit was made publicly available by a security researcher on 2025-01-08. Following the publication of the exploit, Wiz Research identified evidence of successful exploitation of this vulnerability across several cloud environments. All impacted machines were publicly exposed, confirmed to be vulnerable to this vulnerability, and not vulnerable to CVE-2021-40870, the last known RCE flaw affecting Aviatrix Controller. Due to this, we can infer that the adversary achieved initial access via CVE-2024-50603. Wiz observed that all discovered malware was deployed between January 7, 2025, and January 10, 2025, and exploitation surged following the publication of the PoC exploit on GitHub. Threat actors are likely utilizing the vulnerability to enumerate the cloud permissions of the host and then pivot to exfiltrating data from the victims' cloud environments. It is recommended to upgrade Aviatrix Controller to the patched version (7.2.4996), and if possible, implement network restrictions to prevent public access to Aviatrix Controller. Whether or not your environment is already patched, it remains critical to hunt for any evidence of prior compromise to ensure no backdoors were left behind, and that no lateral movement to the cloud control plane has occurred.
Suggested Corrections:
IOCs are available here.
https://thehackernews.com/2025/01/hackers-exploit-aviatrix-controller.html
https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603
Cloud security firm Wiz is currently responding to multiple incidents involving the active exploitation of a recently disclosed critical security flaw, CVE-2024-50603 impacting Aviatrix Controller cloud networking platform. This vulnerability is being leveraged in the wild to deploy backdoors and cryptocurrency miners. The vulnerability carries a maximum CVSS score of 10.0 and could result in unauthenticated remote code execution. Successful exploitation of the flaw could permit an attacker to inject malicious operating system commands because certain API endpoints do not adequately sanitize user-supplied input. The vulnerability has been patched in versions 7.1.4191 and 7.2.4996.
A security researcher at the Polish cybersecurity company Securing has been credited with discovering and reporting the flaw and Proof-of-Concept (PoC) exploit code has been made publicly available. Data gathered by Wiz indicates that 3% of all cloud enterprise environments implement Aviatrix Controller and 65% of those instances have configured their environments to have a lateral movement path to administrative cloud control plane permissions, allowing the attacker to escalate privileges in those cloud environments. In AWS cloud environments, Aviatrix Controller allows privilege escalation by default, increasing the overall risk to an organization’s security posture. Wiz observed that real-world attacks exploiting CVE-2024-50603 are leveraging the initial access to target instances for mining cryptocurrency using XMRig and deploying the Sliver command-and-control (C2) framework, likely for persistence and further exploitation.
Security Officer Comments:
A proof-of-concept exploit was made publicly available by a security researcher on 2025-01-08. Following the publication of the exploit, Wiz Research identified evidence of successful exploitation of this vulnerability across several cloud environments. All impacted machines were publicly exposed, confirmed to be vulnerable to this vulnerability, and not vulnerable to CVE-2021-40870, the last known RCE flaw affecting Aviatrix Controller. Due to this, we can infer that the adversary achieved initial access via CVE-2024-50603. Wiz observed that all discovered malware was deployed between January 7, 2025, and January 10, 2025, and exploitation surged following the publication of the PoC exploit on GitHub. Threat actors are likely utilizing the vulnerability to enumerate the cloud permissions of the host and then pivot to exfiltrating data from the victims' cloud environments. It is recommended to upgrade Aviatrix Controller to the patched version (7.2.4996), and if possible, implement network restrictions to prevent public access to Aviatrix Controller. Whether or not your environment is already patched, it remains critical to hunt for any evidence of prior compromise to ensure no backdoors were left behind, and that no lateral movement to the cloud control plane has occurred.
Suggested Corrections:
IOCs are available here.
- Regular software updates: The most critical step, ensuring all systems and applications are patched with the latest security fixes to address known vulnerabilities.
- Automated scanning: Employ vulnerability scanning tools to regularly identify potential weaknesses across your network and systems.
- Identity and access management (IAM): Implement strong access controls to limit Aviatrix Controller privileges and prevent unauthorized access to sensitive data. In this case, Aviatrix Controller must be granted high IAM privileges in AWS environments to function properly.
- Network restrictions: Implement network restrictions to prevent public access to Aviatrix Controller.
- Incident response plan: Develop a well-defined plan outlining how to respond to security incidents, including identification, containment, and remediation steps.
- Cloud security posture management (CSPM): For cloud environments, utilize tools to monitor cloud configurations and identify potential security risks.
https://thehackernews.com/2025/01/hackers-exploit-aviatrix-controller.html
https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of-aviatrix-cve-2024-50603