The Wiz Incident Response team is actively addressing multiple security incidents linked to CVE-2024-50603, a critical unauthenticated remote code execution (RCE) vulnerability in Aviatrix Controller. The vulnerability was discovered by Jakub Korepta of Securing.
This flaw, rated the maximum CVSS score of 10.0, poses a severe risk of privilege escalation within AWS cloud environments. Entities using Aviatrix Controller are strongly advised to apply patches immediately.
Data from Wiz indicates that approximately 3% of enterprise cloud environments use Aviatrix Controller. Of these, 65% have configurations enabling lateral movement to cloud administrative permissions—a concerning statistic given the potential for widespread damage.
A High-Impact Security Threat
This vulnerability arises from improper input neutralization in the Aviatrix Controller’s API, specifically in endpoints such as list_flightpath_destination_instances and flightpath_connection_test. These endpoints incorporate parameters into command strings without proper sanitization, allowing malefactors to execute arbitrary OS commands remotely.
Patched versions 7.1.4191 and 7.2.4996 address the issue, but the vulnerability’s severity is amplified in AWS environments due to the default high IAM privileges granted to Aviatrix Controller. This allows lateral movement and privilege escalation within the cloud control plane.
Exploitation in the Wild
Wiz Research reports observing active exploitation shortly after the vulnerability was disclosed on 7 January 2025. Following the release of a proof-of-concept exploit on 8 January malicious actors targeted publicly exposed, unpatched instances.
Infected systems were used to mine cryptocurrency via XMRig and deploy Sliver backdoors, likely for persistent access. Although direct evidence of cloud lateral movement has not been confirmed, indicators suggest that attackers may be enumerating cloud permissions and preparing for data exfiltration.
Recommended Actions
Patch and Secure Systems
- Update to patched versions (7.2.4996 or later) immediately.
- Restrict public access to Aviatrix Controller where feasible to minimize exposure.
Investigate and Monitor for Compromise
Even if patched, organizations should conduct forensic investigations for signs of compromise, including malware deployment and unauthorized cloud activity. Wiz provides tools to assist with these tasks:
- Threat Page Review: Identify threats targeting Aviatrix Controller.
- Security Graph: Search for malware findings related to Aviatrix technologies.
- Cloud Events Explorer: Examine network-based indicators of compromise (IOCs) and analyze AWS CloudTrail logs for unusual API activity or new principals using Aviatrix roles.
Comprehensive Security Testing
This critical vulnerability underscores the need to secure API endpoints, says Ray Kelly, Fellow at Black Duck. “Developers often assume that APIs are hidden or immune to common web application attacks, but this example highlights how a server can be compromised through a simple web call.”
Kelly says thoroughly testing APIs is a challenge due to their size, complexity, and the interdependence of chained calls. “However, comprehensive security testing is essential, as neglecting it can lead to catastrophic consequences.”
To mitigate further risks, entities should implement Privileged Access Management (PAM) to limit access to critical roles and enforce principles of least privilege, comments James Scobey, Chief Information Security Officer at Keeper Security.
“It’s critical to conduct a thorough review to identify signs of compromise, such as abnormal API activity, unexpected malware or unusual network connections originating from the controller. Proactive patching and securing privileged accounts are also important to prevent attackers from leveraging this vulnerability to compromise cloud infrastructure,” Kelly ends.
Broader Implications for Cloud Security
This incident highlights the growing risks of vulnerabilities in cloud infrastructure tools. Organizations are urged to integrate robust monitoring systems and adopt a proactive security posture to mitigate future threats.
For detailed guidance and advisory queries, Wiz customers can access the pre-built tools in the Wiz Threat Center to detect and respond to vulnerabilities in Aviatrix Controller.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.