A recently disclosed critical security flaw impacting the Aviatrix Controller cloud networking platform has come under active exploitation in the wild to deploy backdoors and cryptocurrency miners.
Cloud security firm Wiz said it’s currently responding to “multiple incidents” involving the weaponization of CVE-2024-50603 (CVSS score: 10.0), a maximum severity bug that could result in unauthenticated remote code execution.
Put differently, a successful exploitation of the flaw could permit an attacker to inject malicious operating system commands owing to the fact that certain API endpoints do not adequately sanitize user-supplied input. The vulnerability has been addressed in versions 7.1.4191 and 7.2.4996.
Jakub Korepta, a security researcher at Polish cybersecurity company Securing, has been credited with discovering and reporting the shortcoming. A proof-of-concept (PoC) exploit has since been made publicly available.
Data gathered by the cybersecurity company shows that around 3% of cloud enterprise environments have Aviatrix Controller deployed, out of which 65% of them demonstrate a lateral movement path to administrative cloud control plane permissions. This, in turn, allows for privilege escalation in the cloud environment.
“When deployed in AWS cloud environments, Aviatrix Controller allows privilege escalation by default, making exploitation of this vulnerability a high-impact risk,” Wiz researchers Gal Nagli, Merav Bar, Gili Tikochinski, and Shaked Tanchuma said.
Real-world attacks exploiting CVE-2024-50603 are leveraging the initial access to target instances to mine cryptocurrency using XMRig and deploying the Sliver command-and-control (C2) framework, likely for persistence and follow-on exploitation.
“While we have yet to see direct evidence of cloud lateral movement, we do believe it likely that threat actors are utilizing the vulnerability to enumerate the cloud permissions of the host and then pivot to exfiltrating data from the victims’ cloud environments,” Wiz researchers said.
In light of active exploitation, users are recommended to apply the patches as soon as possible and prevent public access to Aviatrix Controller.