CVE-2024-50603

What is Aviatrix Controller?

Aviatrix is a cloud networking and SASE platform that provides centralized management of multi-cloud network architectures — connecting AWS, Azure, GCP, and OCI environments through a software-defined overlay network. The Aviatrix Controller is the central management plane that orchestrates all cloud gateways, VPN connections, and network policies across an organization's multi-cloud environment. Because the Controller manages cloud IAM credentials and network routing for the entire cloud estate, its compromise is catastrophic — equivalent to compromising the network perimeter of all connected cloud environments.

Overview

CVE-2024-50603 is a pre-authentication OS command injection vulnerability (CWE-78, CVSS 10.0) in the Aviatrix Controller API. An unauthenticated attacker can inject shell commands via the cloud_type parameter of the /v1/api endpoint, achieving remote code execution on the Controller. The Changed scope (S:C) reflects that compromising the Controller affects the entire multi-cloud network estate it manages. Active exploitation was confirmed targeting cloud environments for cryptomining and backdoor deployment, with significant risk of broader cloud credential exfiltration.

Affected Versions

Aviatrix uses rolling releases — contact Aviatrix support or reference the PSIRT advisory for your specific version's patch path.

Technical Details

The OS command injection (CWE-78) occurs in the /v1/api endpoint's cloud_type parameter (and the src_cloud_type parameter in the flightpath_connection_test function). These parameters accept a cloud type string (e.g., "aws", "azure") but are passed to an OS-level command without sanitization. By injecting shell metacharacters, an unauthenticated attacker can execute arbitrary commands in the context of the Controller's process.

Cloud-specific post-exploitation impact (per Wiz Research):

• The Aviatrix Controller process has access to cloud IAM credentials and API keys stored for managing cloud gateways
• Post-exploitation, attackers can exfiltrate AWS, Azure, GCP credentials — enabling them to directly access cloud resources without going through the Controller
• Network routing manipulation: modify cloud network policies to redirect traffic or open unauthorized network paths
• The Changed scope (S:C) reflects that the Controller's compromise affects all connected cloud environments, not just the Controller host

Discovery

Not publicly attributed for initial discovery. Wiz Research published analysis of the cloud-specific attack surface on January 15, 2025, documenting how Controller compromise translates to multi-cloud credential exfiltration.

Exploitation Context

Active exploitation was confirmed before the January 16, 2025 CISA KEV listing. Observed post-exploitation payloads included cryptominers and backdoors. The Aviatrix Controller's privileged position in cloud networking makes it highly attractive for more sophisticated follow-on attacks — cloud credential exfiltration can be more damaging than the initial controller compromise.

Remediation

1. Apply Aviatrix Controller patches immediately per the PSIRT advisory. The CISA deadline was February 6, 2025.
2. Restrict Controller API access — the /v1/api endpoint should not be internet-accessible. Place the Controller behind a VPN or restrict source IPs.
3. Rotate all cloud credentials managed by the Aviatrix Controller: AWS IAM access keys, Azure service principal credentials, GCP service account keys, and other secrets stored in the Controller.
4. Audit cloud activity logs (AWS CloudTrail, Azure Activity Log, GCP Audit Log) for unauthorized API calls from the Controller's IP address or using its credentials.
5. Hunt for cryptominers on the Controller host and any Aviatrix gateway instances.