A two severe security vulnerabilities in Aviatrix Controller, a popular Software-Defined Networking (SDN) utility used to create links between different cloud vendors and regions.
The vulnerabilities, tracked as CVE-2025-2171 and CVE-2025-2172, allowed researchers to bypass authentication and gain root-level command execution on a fully patched system, potentially compromising connected cloud environments.
The first vulnerability (CVE-2025-2171) exploited a fundamental weakness in Aviatrix’s password reset mechanism.
Researchers discovered that when initiating a password reset for an administrator account, the system generated a 6-digit token with insufficient entropy – using numbers between 111,111 and 999,999, creating just 888,888 possible combinations.
More critically, the system lacked rate limiting protections against brute force attempts. Though tokens expired after 15 minutes, Mandiant demonstrated that the limited keyspace could be successfully brute-forced within this windows.
The Red Team successfully exploited a fully patched Aviatrix Controller via authentication bypass, unsafe file upload, and argument injection.
After 16 hours of automated attempts (resetting the process every 15 minutes), researchers successfully compromised the administrator account.
“This gave us access to a plethora of cloud features, ranging from deploying OpenVPN configurations, creating users, obtaining user hashed credentials, reading from a local MongoDB, and more,” the researchers noted.
Aviatrix Cloud Controller
With administrator access secured, researchers identified a second vulnerability (CVE-2025-2172) in the Controller’s file handling system.
The vulnerability stemmed from insecure processing of uploaded filenames containing tab characters, which weren’t properly sanitized.
The vulnerability exploited how the Python shlex module processes command strings. By crafting filenames with embedded tab characters, researchers could “smuggle” unexpected arguments to the underlying “cp” command that ran with root privileges via sudo.
“By carefully reading the man pages, we found this interesting argument: -S, –suffix=SUFFIX override the usual backup suffix,” researchers explained.
This allowed them to manipulate file paths and ultimately write a malicious crontab file to the /etc directory, establishing persistent root access to the Controller system.
Cloud Security Implications
The vulnerabilities highlighted significant risks for organizations using Aviatrix to manage multi-cloud environments.
Once compromised, attackers could pivot from the Controller to access connected cloud resources.
Mandiant demonstrated this by accessing the AWS IMDSv2 endpoint from the compromised Controller to obtain cloud credentials.
By performing an additional role assumption, they gained privileged access to EC2 instances, S3 buckets, and other AWS resources.
Aviatrix has patched these vulnerabilities in versions 8.0.0, 7.2.5090, and 7.1.4208. Organizations using Aviatrix Controller version 7.2.5012 or earlier should update immediately to prevent exploitation.
The discovery emphasizes how centralized network management systems can become prime targets for attackers seeking to compromise cloud environments.
As Mandiant noted, “Incidentally, compromising the Controller would mean having access to the centralized component which accesses all these cloud gateways and cloud APIs, making it a prime target for attackers”.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
 utility used to create links between different cloud vendors.){kind=link}