The cybersecurity landscape took a sharp turn on January 16, 2025, when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially added CVE-2024-50603 to its Known Exploited Vulnerabilities catalog. The flaw, a critical remote code execution vulnerability in the Aviatrix Controller cloud networking platform, had already been weaponized in the wild, with threat actors deploying cryptocurrency miners and persistent backdoors across enterprise cloud environments.
The Exploit Mechanics
CVE-2024-50603 carries a maximum CVSS score of 10.0, making it as severe as vulnerabilities get. The root cause lies in inadequate input sanitization across certain API endpoints within the Aviatrix Controller. An unauthenticated attacker can send specially crafted requests that inject arbitrary operating system commands, effectively gaining remote code execution on the host system without requiring any credentials.
Cloud security researchers at Wiz, who have been responding to multiple active exploitation incidents, discovered that threat actors are leveraging this initial access to deploy XMRig, a well-known cryptocurrency mining tool, alongside the Sliver command-and-control framework. Sliver, an open-source alternative to Cobalt Strike, provides attackers with persistent remote access and the ability to execute follow-on attacks, including lateral movement across cloud environments.
The attack chain follows a familiar pattern: exploit the vulnerability to gain initial access, deploy mining payloads for immediate monetization, and install C2 infrastructure for long-term persistence and data exfiltration. While direct evidence of cloud lateral movement has not been confirmed, researchers believe it is highly likely that attackers are enumerating cloud permissions and pivoting to extract sensitive data from victim environments.
Affected Systems
The scope of the vulnerability is concerning. According to data gathered by Wiz, approximately 3% of enterprise cloud environments have Aviatrix Controller deployed. Of those deployments, 65% demonstrate a lateral movement path to administrative cloud control plane permissions, creating a scenario where exploitation can rapidly escalate from a single compromised instance to full cloud environment takeover.
When deployed in AWS cloud environments, the Aviatrix Controller allows privilege escalation by default, compounding the risk. This means that even organizations with robust security postures in other areas could find their entire cloud infrastructure compromised through this single vulnerability. The affected versions include all releases prior to 7.1.4191 and 7.2.4996, which contain the patches that address the flaw.
A proof-of-concept exploit has been publicly available since the vulnerability was disclosed, lowering the barrier for entry for would-be attackers and contributing to the rapid escalation of exploitation attempts observed in the wild.
The Mitigation Strategy
Aviatrix was notified of the security vulnerability in late October 2024 and issued a hot patch in early November. The company has urged all customers to upgrade to versions 7.1.4191 or 7.2.4996 immediately. Organizations that cannot apply the patches right away should restrict public access to Aviatrix Controller instances as an interim measure.
Security teams should conduct thorough investigations of their cloud environments for signs of compromise, including the presence of XMRig processes, unexpected Sliver C2 communications, and unauthorized lateral movement attempts. Network logs should be reviewed for anomalous API calls to the Aviatrix Controller endpoints.
Lessons Learned
This incident highlights several critical lessons for the cryptocurrency and cloud security communities. First, the intersection of cloud infrastructure and cryptojacking remains a persistent threat. Attackers continue to target cloud services to hijack computing resources for cryptocurrency mining, costing organizations millions in unauthorized compute charges.
Second, default privilege escalation configurations represent a significant risk. Organizations should audit their cloud deployments for overly permissive default settings and implement the principle of least privilege across all cloud services, not just the ones they consider critical.
Third, the rapid weaponization of disclosed vulnerabilities underscores the importance of timely patching. The window between disclosure and active exploitation continues to shrink, leaving organizations with less time to respond.
User Action Required
If your organization uses Aviatrix Controller, take immediate action. Upgrade to the patched versions 7.1.4191 or 7.2.4996. Restrict public access to the controller until the patch is applied. Review cloud audit logs for signs of XMRig or Sliver activity. Rotate credentials that may have been exposed through the controller. Consider deploying runtime threat detection tools that can identify cryptojacking and C2 behavior in cloud environments.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research before making any investment decisions.
CVSS 10.0 and unauthenticated RCE on a cloud controller. this is why I never trust default deployments, always strip unused API endpoints
stripping unused endpoints should be day one ops. cloud platforms ship with everything enabled because the default is convenience not security
every cloud platform ships with everything enabled by default because their customers evaluate products on how fast they can get running. security is always someone elses problem until its not
XMRig on enterprise cloud instances is basically free money for attackers since nobody monitors CPU usage on their VPCs
Sliver C2 framework too, not just miners. they were setting up persistent access while everyone focused on the crypto mining part
miners as cover for C2 persistence is the real threat here. everyone sees crypto mining and thinks nuisance, meanwhile they have full command and control infrastructure
cryptomining as cover for C2 is the oldest trick in the playbook. sysadmins see cpu spike, think miner, kill process, done. meanwhile the real payload already moved laterally
Wiz finding this is not surprising, they have the best cloud security visibility right now imo