What is the CVSS score of CVE-2024-50603?

CVE-2024-50603 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 94.4%.

Which versions of Controller are affected by CVE-2024-50603?

Organizations using Aviatrix Controller face critical risk from CVE-2024-50603, a OS command injection vulnerability rated CVSS 10.0.

Is there a public PoC exploit available for CVE-2024-50603?

Yes, a public proof-of-concept exploit is available for CVE-2024-50603. Prioritise patching immediately. EPSS: 94.4%.

How to fix or mitigate CVE-2024-50603?

Within 24 hours: Identify all affected systems running Aviatrix Controller and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Controller CVE-2024-50603

CRITICAL

OS Command Injection (CWE-78)

2025-01-08 cve@mitre.org

RCE Command Injection Controller

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:02 vuln.today

Added to CISA KEV

Nov 05, 2025 - 19:11 cisa

CISA KEV

PoC Detected

Nov 05, 2025 - 19:11 vuln.today

Public exploit code

CVE Published

Jan 08, 2025 - 01:15 nvd

CRITICAL 10.0

DescriptionNVD

An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.

AnalysisAI

Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996 contains an OS command injection via improper neutralization of special elements in the /v1/api endpoint, allowing unauthenticated remote code execution.

Technical ContextAI

The CWE-78 command injection in the list_flightpath_destination_instances and src_cloud_type parameters of /v1/api fails to sanitize shell metacharacters. Attackers inject OS commands that execute with the privileges of the Aviatrix Controller process.

RemediationAI

Update Aviatrix Controller immediately. Rotate all cloud API credentials accessible from the controller. Review cloud network configurations for unauthorized modifications. Restrict controller management interface access.

CVE-2024-50603 vulnerability details – vuln.today

Back

Controller CVE-2024-50603

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code