Critical Aviatrix Controller flaw exploited to install backdoors and cryptominers

Critical Aviatrix Controller flaw exploited to install backdoors and cryptominers

A recently disclosed critical security vulnerability in the Aviatrix Controller cloud networking platform is being exploited by threat actors to deploy backdoors and cryptocurrency miners, cybersecurity firm Wiz has warned.

Tracked as CVE-2024-50603, the flaw allows attackers to execute unauthenticated remote code, giving them the ability to inject malicious operating system commands. The vulnerability exists due to improper input validation when handling data passed via the "cloud_type" parameter to /v1/api/list_flightpath_destination_instances URL and via the "src_cloud_type" parameter to /v1/api/flightpath_connection_test URL. This can lead to the compromise of cloud environments if successfully exploited.

Wiz said that they are currently addressing “multiple incidents” of active exploitation, including the deployment of cryptocurrency miners and the Sliver command-and-control (C2) framework, which attackers use to maintain persistence within compromised systems.

Aviatrix Controller is used by around 3% of enterprise cloud environments, with approximately 65% of those environments providing an unguarded path to administrative permissions in the cloud. The vulnerability, if exploited, could allow attackers to escalate privileges and gain full control of cloud resources.

So far, attackers have used the vulnerability to gain initial access to cloud instances, deploying XMRig cryptocurrency miners to mine Monero. Additionally, the Sliver C2 framework has been used, likely for persistence and follow-up exploitation.

Wiz researchers noted that although there is no concrete evidence yet of lateral movement across cloud environments, it is highly likely that threat actors are using the exploit to enumerate cloud permissions, which could then allow them to exfiltrate sensitive data from compromised environments.

Aviatrix has issued patches for affected versions, including 7.1.4191 and 7.2.4996. Users are strongly advised to apply the fixes as soon as possible and to ensure that public access to the Aviatrix Controller is restricted to mitigate the risk of exploitation.

Back to the list

Latest Posts

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025
Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

The attackers utilized a BACKORDER loader to deploy DarkCrystal RAT.
12 February 2025
North Korean Kimsuky adopted a new tactic to infiltrate targets

North Korean Kimsuky adopted a new tactic to infiltrate targets

The new tactic involves the threat actor tricking individuals into executing PowerShell commands as administrators.
12 February 2025