The vulnerability CVE-2024-50603 was disclosed on 2025-01-07, with a detailed blog and proof-of-concept exploit released by researchers soon after. Evidence of exploitation in cloud environments were observed by Wiz Research, targeting publicly exposed, vulnerable machines. Attackers used the exploit to mine cryptocurrency with XMRig and deploy Sliver backdoors for persistence. Exploitation peaked after a Nuclei template was published. Although cloud lateral movement hasn't been directly observed, it is likely attackers are using the vulnerability to assess cloud permissions and potentially exfiltrate data.
The vulnerability resides in the improper handling of user-supplied parameters in the Aviatrix Controller's API, implemented in PHP. Specifically, the API endpoints list_flightpath_destination_instances and flightpath_connection_test incorporate parameters like cloud_type and src_cloud_type into command strings without proper sanitization. This flaw allows attackers to inject malicious OS commands, allowing arbitrary commands to be executed on the controller by an unauthenticated user.