CVE-2024-50603

CriticalCISA KEVActive ExploitationPublic PoCRCE

Published: 08 January 2025

Published

08 January 2025

Modified

05 November 2025

KEV Added

16 January 2025

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.9436 100.0th percentile

Risk Priority 97 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50603 is a critical-severity OS Command Injection (CWE-78) vulnerability in Aviatrix Controller. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the command injection vulnerability by requiring timely flaw remediation through upgrading to fixed Aviatrix Controller versions 7.1.4191 or 7.2.4996.

SI-10 Information Input Validation good match

prevent

Prevents exploitation by implementing input validation at vulnerable API endpoints to neutralize shell metacharacters in cloud_type and src_cloud_type parameters before OS command execution.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Facilitates early identification of CVE-2024-50603 via regular vulnerability scanning, enabling remediation before exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote unauthenticated command injection in public-facing Aviatrix Controller API directly enables T1190 (Exploit Public-Facing Application) for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent…

to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.

Deeper analysisAI

CVE-2024-50603 is a command injection vulnerability (CWE-78) discovered in Aviatrix Controller versions before 7.1.4191 and 7.2.x before 7.2.4996. The issue stems from improper neutralization of special elements used in an OS command, enabling attackers to inject shell metacharacters via the /v1/api endpoint. Specifically, the cloud_type parameter in list_flightpath_destination_instances or the src_cloud_type parameter in flightpath_connection_test can be abused to execute arbitrary code.

An unauthenticated attacker can exploit this vulnerability remotely with low attack complexity, no user interaction, and no privileges required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, base score 10.0). Successful exploitation grants arbitrary code execution on the Aviatrix Controller, potentially compromising the entire system with high impacts to confidentiality, integrity, and availability, along with a changed scope.

Aviatrix advisories recommend upgrading to version 7.1.4191 or 7.2.4996 to mitigate the vulnerability. The issue is documented in Aviatrix PSIRT release notices and other security resources, with the vulnerability also listed in the CISA Known Exploited Vulnerabilities Catalog.

Details

CWE(s): CWE-78
KEV Date Added: 16 January 2025

Affected Products

aviatrix

controller

≤ 7.1.4191 · 7.2 — 7.2.4996

CVEs Like This One

CVE-2026-1731Shared CWE-78both on KEV

CVE-2025-48703Shared CWE-78both on KEV

CVE-2025-11953Shared CWE-78both on KEV

CVE-2026-25108Shared CWE-78both on KEV

CVE-2025-1316Shared CWE-78both on KEV

CVE-2025-9377Shared CWE-78both on KEV

CVE-2025-66644Shared CWE-78both on KEV

CVE-2025-54948Shared CWE-78both on KEV

CVE-2025-58034Shared CWE-78both on KEV

CVE-2025-64328Shared CWE-78both on KEV

References

https://docs.aviatrix.com/documentation/latest/network-security/index.html
Product · cve@mitre.org
https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true#remote-code-execution-vulnerability-in-aviatrix-controllers
Vendor Advisory · cve@mitre.org
https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/
Exploit, Third Party Advisory · cve@mitre.org
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-50603
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0