Two vulnerabilities in Aviatrix Controller have been discovered that, when chained together, enable unauthorised access and remote code execution within a simulated cloud environment. The issues, tracked as CVE-2025-2171 and CVE-2025-2172 and disclosed by Mandiant, affected Aviatrix Controller versions up to 7.2.5012. Aviatrix has since issued patches in versions 8.0.0, 7.2.5090, and 7.1.4208.
According to Mandiant’s official blog post detailing the Red Team engagement, the flaws included an administrator authentication bypass (CVE-2025-2171) and an authenticated command injection (CVE-2025-2172). The engagement, which targeted a tightly scoped environment, identified Aviatrix Controller as a high-value asset due to its central role in managing multi-cloud connectivity and access to cloud APIs.
Token entropy and authentication validation gaps exploited to bypass login controls
Mandiant’s investigation began with an assessment of Aviatrix Controller’s password reset mechanism. The team found that reset tokens were six-digit numeric values ranging from 111111 to 999999, resulting in 888,888 possible combinations. No rate-limiting or lockout mechanism was observed for invalid attempts, enabling a brute-force attack within the 15-minute expiration window of each token.
Using automated tooling, the Red Team reportedly succeeded in resetting the administrator password after approximately 16 hours of continuous requests. This provided full administrative access to the Aviatrix Controller interface, enabling operations such as user creation, credential extraction, VPN configuration, and direct access to internal databases.
After obtaining initial access, the team examined the backend architecture for additional vulnerabilities. Mandiant noted that uploaded filenames were written to disk and passed to Python-based command-line utilities without sanitising tab characters. Because Aviatrix Controller uses shlex.split() to parse commands, tab characters in filenames were treated as argument delimiters, allowing injection of arbitrary flags into system-level commands.
One such injection vector was identified in the Proxy Admin interface, where custom certificate files could be uploaded. The researchers crafted a filename that inserted command-line arguments into a cp command used by the backend, resulting in arbitrary file placement on the filesystem.
Mandiant exploited the above weakness to place a crafted file into /etc/crontab, enabling scheduled execution of commands under root privileges. This was achieved through a two-step process, which included renaming the uploaded file to “crontab”, and then moving it into the /etc directory by manipulating command-line parameters. The technique circumvented filename restrictions, including those prohibiting slashes and spaces.
Once the malicious crontab was in place, periodic callbacks confirmed successful execution with root-level access, validating the remote code execution vector.
With root access on the Aviatrix-hosted instance, the Red Team accessed the AWS Instance Metadata Service (IMDSv2) to extract temporary cloud credentials. While the default instance role had minimal permissions, Mandiant followed role-assumption procedures documented by Aviatrix to obtain elevated privileges. This step granted broader access to Amazon EC2 and S3 services, effectively completing the compromise of the cloud environment.
According to Mandiant’s blog, Aviatrix responded promptly and has remediated both vulnerabilities through targeted software updates.
Read more: Leaked FortiGate data exposes 15,000 devices to cyber risks
