Updated on 2025-01-19 to include additional investigation findings related to Sliver and Mirai infections.
CVE-2024-50603 is a critical code execution vulnerability impacting Aviatrix Controller with the maximum CVSS score of 10.0. This command injection flaw allows unauthenticated attackers to execute arbitrary commands on the system remotely. The vulnerability stems from the improper neutralization of user-supplied input, and has been addressed in patched versions 7.1.4191 and 7.2.4996.
When deployed in AWS cloud environments, Aviatrix Controller allows privilege escalation by default, making exploitation of this vulnerability a high-impact risk. A simple proof-of-concept exploit has been published, and Wiz Research has already observed exploitation in the wild resulting in cryptojacking and backdoor deployment. For these reasons, it is highly recommended to upgrade Aviatrix Controller to the patched versions, conduct forensic investigation on the devices, and search for lateral movement attempts to the cloud control plane.
What is CVE-2024-50603?
The vulnerability resides in the improper handling of user-supplied parameters in the Aviatrix Controller's API, implemented in PHP. Specifically, the API endpoints list_flightpath_destination_instances and flightpath_connection_test incorporate parameters like cloud_type and src_cloud_type into command strings without proper sanitization. This flaw allows attackers to inject malicious OS commands, allowing arbitrary commands to be executed on the controller by an unauthenticated user.
Wiz Research data: what’s the risk to cloud environments?
Based on our data, around 3% of cloud enterprise environments have Aviatrix Controller deployed. However, our data shows that in 65% of such environments, the virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions.
We estimate that the reason for this is that by default, Aviatrix Controller is granted high IAM privileges in AWS cloud environments through the roles it can assume, which must be allowed to perform IAM actions in order to function properly (according to the vendor’s documentation).
This lateral movement potential makes Aviatrix Controller a prime target for threat actors aiming to move laterally and escalate their privileges in the cloud environment once gaining initial access to the controller via exploitation of this RCE.
What sort of exploitation has been identified in the wild?
The vulnerability was published on 2025-01-07, alongside a blogpost by the researcher who discovered the vulnerability (Jakub Korepta of SecuRing), explaining in detail how it can be exploited. A proof-of-concept exploit based on the blogpost was made publicly available by a security researcher (newlinesec) on 2025-01-08. Immediately following the publication of the exploit, Wiz Research identified evidence of successful exploitation of this vulnerability across several cloud environments.
In all observed instances, the infected machines were publicly exposed, confirmed as vulnerable to CVE-2024-50603, and not vulnerable to CVE-2021-40870 (the last known RCE vulnerability affecting Aviatrix Controller), which leads us to conclude with high confidence that the attackers gained access to these machines via exploitation of the recent RCE. All observed malware was first deployed between 2025-01-07 and 2025-01-10, with exploitation surging following the publication of a Nuclei template.
Our investigation of these instances has shown that the threat actors exploiting this vulnerability are abusing their access to mine cryptocurrency using XMRig and deploy Sliver backdoors, presumably for persistence purposes (to avoid losing access if the infected machine is patched).
Additionally, we have observed multiple (failed) attempts to infect Aviatrix Controller instances with Mirai via exploitation of CVE-2024-50603. Furthermore, at least one of the actors deploying Sliver backdoors has been conducting their operations from the IP address 172.104.60[.]176, but this is likely a shared proxy server and therefore not strictly useful as an IOC.
While we have yet to see direct evidence of cloud lateral movement, we do believe it likely that threat actors are utilizing the vulnerability to enumerate the cloud permissions of the host and then pivot to exfiltrating data from the victims' cloud environments.
Which products are affected?
This vulnerability impacts Aviatrix Controller in versions before 7.1.4191 and versions 7.2.x before 7.2.4996.
Which actions should security teams take?
Patch vulnerable instances and reduce attack surface
It is recommended to upgrade Aviatrix Controller to the patched version (7.2.4996), and if possible, we also suggest implementing network restrictions to prevent public access to Aviatrix Controller.
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to search for publicly exposed as well as vulnerable instances of Aviatrix Controller in their environment.
Proactively hunt for evidence of compromise
Whether or not your environment is already patched, it is critical to hunt for any evidence of prior compromise to assure no backdoors were left behind, and that no lateral movement to the cloud control plane has occurred.
Security teams can utilize Wiz to proactively hunt for evidence of compromise using the following methods:
Review the threat page for any threats associated with compute resources hosting Aviatrix Controller [Wiz Defend customers only].
Use the Security Graph to search for malware findings on compute resources hosting Aviatrix technologies.
Use the Cloud Events Explorer to search for network-based IOCs in any IP address field (see Appendix).
Use the Cloud Events Explorer to search for any cloud provider security alerts where the principal is the compute resource hosting Aviatrix Controller.
Use the Cloud Events Explorer to search for AWS CloudTrail events where the “Acting As” field is set to one of the default Aviatrix roles (
aviatrix-role-ec2oraviatrix-role-app), and the principal IP address hasn't been previously observed, or is performing abnormal API calls.Use the Cloud Events Explorer to review network logs for any abnormal DNS requests or outgoing IP connections from Aviatrix Controller devices.
For effective threat hunting, make sure control, security, and network logs are properly integrated with Wiz.
References
Appendix - Indicators of compromise
| IOC | Description |
|---|---|
| 91.193.19[.]109:13333 | Sliver C2 server IP address |
| 107.172.43[.]186:3939 | Cryptocurrency mining pool IP address |
| 83.222.191[.]91 | Mirai C2 server IP address |
| 91.188.254[.]21 | Mirai C2 server IP address |
| 1ce0c293f2042b677cd55a393913ec052eded4b9 | XMRig (SHA1) |
| 68d88d1918676c87dcd39c7581c3910a9eb94882 | XMRig (SHA1) |
| c4f63a3a6cb6b8aae133bd4c5ac6f2fc9020c349 | XMRig (SHA1) |
| c63f646edfddb4232afa5618e3fac4eee1b4b115 | XMRig (SHA1) |
| e10e750115bf2ae29a8ce8f9fa14e09e66534a15 | Sliver (SHA1) |
| 41d589a077038048c4b120494719c905e71485ba | Sliver (SHA1) |
| /tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/.system_logs/momika233-2024-04-29-xmrig.zip | XMRig (Path) |
| /tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/moneroocean/xmrig | XMRig (Path) |
| /tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/.uid/udiskssd | XMRig (Path) |
| /tmp/systemd-private-[0-9a-f]{32}-apache2.service-[0-9a-zA-Z]{6}/tmp/config | Sliver (path) |
