CVE-2024-50603
CVSS Score
10.0
EPSS Score
0.0%
EPSS Percentile
0th
An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
| CWE | CWE-78 |
| Vendor | aviatrix |
| Product | controller |
| Published | Jan 8, 2025 |
| Last Updated | Oct 21, 2025 |
โ ๏ธ Actively Exploited โ Act Now
Get instant alerts for aviatrix controller
This vulnerability is actively exploited in the wild. Set up free real-time alerts so you're first to know about threats like CVE-2024-50603.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
Aviatrix / Controller
0 < 7.1.4191 7.2.0 < 7.2.4996
References
docs.aviatrix.com: https://docs.aviatrix.com/documentation/latest/network-security/index.html docs.aviatrix.com: https://docs.aviatrix.com/documentation/latest/release-notices/psirt-advisories/psirt-advisories.html?expand=true#remote-code-execution-vulnerability-in-aviatrix-controllers securing.pl: https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/ cisa.gov: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-50603