CVE-2024-50603: Aviatrix Controllers OS Command Injection Vulnerability
First published: Wed Jan 08 2025(Updated: )
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Aviatrix Controllers | ||
| Aviatrix Controllers | <7.1.4191 | |
| Aviatrix Controllers | >=7.2<7.2.4996 |
Remedy
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://docs.aviatrix.com/documentation/latest/network-security/index.html
- https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true#remote-code-execution-vulnerability-in-aviatrix-controllers
- https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/
- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-aviatrix-controller-rce-flaw-in-attacks/
- https://www.darkreading.com/cloud-security/cloud-attackers-exploit-max-critical-aviatrix-rce-flaw
- https://www.theregister.com/2025/01/13/severe_aviatrix_controller_vulnerability/
- https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true
- https://nvd.nist.gov/vuln/detail/CVE-2024-50603
Frequently Asked Questions
What is the severity of CVE-2024-50603?
CVE-2024-50603 is classified as a critical vulnerability due to its potential for unauthorized remote code execution.
How do I fix CVE-2024-50603?
To fix CVE-2024-50603, upgrade Aviatrix Controller to version 7.1.4191 or later or 7.2.4996 or later.
Who is affected by CVE-2024-50603?
CVE-2024-50603 affects Aviatrix Controller versions prior to 7.1.4191 and 7.2.x prior to 7.2.4996.
What kind of attack is possible with CVE-2024-50603?
CVE-2024-50603 can allow an unauthenticated attacker to execute arbitrary commands on vulnerable systems.
What should I do if I cannot upgrade to mitigate CVE-2024-50603?
If you cannot upgrade, consider isolating affected systems and monitoring for unauthorized access until a patch is applied.
- agent/first-publish-date
- agent/type
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-50603
- collector/darkreading
- source/Dark Reading
- collector/the-register
- source/The Register
- alias/CVE-2021-40870
- agent/remedy
- agent/title
- agent/references
- agent/description
- agent/trending
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/author
- agent/source
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- vendor/aviatrix
- canonical/aviatrix controllers
- version/aviatrix controllers/7.2