Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2024-50603
CVE-2024-50603:
Aviatrix Controller vulnerability analysis and mitigation
Overview
A critical vulnerability (CVE-2024-50603) was discovered in Aviatrix Controller affecting versions before 7.1.4191 and 7.2.x before 7.2.4996. The vulnerability allows unauthenticated attackers to execute arbitrary code through improper neutralization of special elements used in OS commands. The flaw was discovered by Jakub Korepta of SecuRing and publicly disclosed on January 7, 2025 (SecuRing Advisory).
Technical details
The vulnerability stems from improper input sanitization in the Aviatrix Controller's API endpoints. Specifically, the vulnerability affects the cloudtype parameter of the listflightpathdestinationinstances action and srccloudtype parameter of the flightpathconnectiontest action in the /v1/api endpoint. The flaw has received a CVSS score of 10.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (NVD).
Impact
A successful exploitation allows an unauthenticated attacker to execute arbitrary commands on the controller system. In cloud environments, particularly AWS, the Aviatrix Controller often has high IAM privileges by default, making this vulnerability especially critical. Research by Wiz indicates that in 65% of environments, the virtual machine hosting Aviatrix Controller has a lateral movement path to administrative cloud control plane permissions (Wiz Research).
Mitigation and workarounds
Aviatrix has released patches to address this vulnerability. Organizations should immediately upgrade to version 7.1.4191 or 7.2.4996. Additionally, Aviatrix recommends following Controller IP Access guidance and ensuring that controller port 443 is not exposed to the Internet. For environments where immediate patching is not possible, implementing network restrictions to prevent public access to Aviatrix Controller is advised (Aviatrix Advisory).
Community reactions
The vulnerability has garnered significant attention from the cybersecurity community due to its critical nature and active exploitation. CISA has added CVE-2024-50603 to its Known Exploited Vulnerabilities (KEV) catalog on January 16, 2025, requiring Federal Civilian Executive Branch (FCEB) agencies to apply fixes by February 6, 2025 (Censys).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management