PSIRT Advisories
The Aviatrix Product Security Team continually tests the software product, looking for vulnerabilities and weaknesses. If you have a security issue to report, please open a support ticket on the Aviatrix Support Portal. Any such findings are fed back to Aviatrix’s development teams and serious issues are described along with protective solutions in the advisories below.
Please note the below Aviatrix Security recommendations and communication plans:
-
Aviatrix strongly recommend customers stay on the latest release to resolve features and bug issues. All fixes are in the new release; we do not patch older release versions.
-
Customers are strongly recommended to perform image migration 2x a year. The migration process provides the latest system level security patch.
-
All known software vulnerabilities are submitted to Mitre for CVE-ID references by Aviatrix Systems.
-
Aviatrix publishes Field Notices and send alerts to Controller Admin in the Controller console when security related issues are published.
Multiple Vulnerabilities in Aviatrix Controllers
Date 06/26/2025
CVE # CVE-2025-2171 - Lack of password reset rate limiting exposes accounts to brute-force attacks.
-
Risk Rating: CVSS 7.8 (High) CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:P
-
Description: Currently, there is no rate limiting or maximum attempts on a password reset. This means an attacker could request a reset token, and then brute force the token.
The registered email address for the account will receive an email with the password reset request, alerting you to the possibility of attack. |
-
Impact: A successful attack would allow the attacker to reset the password for any account, including the administrator account.
CVE # CVE-2025-2172 - Authenticated Remote Code Execution through Shell Parameter Injection (Administrator Privilege Required).
-
Risk Rating: CVSS 6.6 (Medium) CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
-
Description: A vulnerability could allow an authenticated admin user to execute arbitrary command against Aviatrix Controllers.
-
Impact: A successful attack would allow arbitrary commands to be executed as root on the controller by an authenticated admin user.
Affected Products
All supported versions of Aviatrix Controller prior to 8.0.0, 7.2.5090, 7.1.4208. These three releases were made available on May, 19 2025.
Solution
Upgrade the Controller to 8.0.0 or 7.2.5090 or 7.1.4208. Or, if running older versions install security patch CVE-2025-2171 and CVE-2025-2172 - Controller Security Vulnerabilities.
Aviatrix recommends following the Controller IP Access guidance and ensuring that the controller does not have port 443 exposed to the internet. |
Action to be taken if an upgrade is done to a release that does not have the fix in the release:
After initial application of patch, if an upgrade has been done to a version prior to 7.2.5090 or 7.1.4208 or 8.0.0 the patch must be reapplied. |
Applying the patch
You can use either the Controller UI or CoPilot to apply the patch:
Controller UI
-
Backup your Aviatrix Controller. For more information, see Controller Backup and Restore.
-
Navigate to Settings > Maintenance > Security Patches and click Update Available Patches followed by the refresh button.
-
Filter for CVE-2025-2171 and CVE-2025-2172 - Controller Security Vulnerabilities. If it is not presented in the table click the refresh button again.
-
Click on CVE-2025-2171 and CVE-2025-2172 - Controller Security Vulnerabilities.
-
Click on Actions.
-
Click on Apply Patch.
-
Confirm that the patch shows Patched.
-
Backup your Aviatrix Controller again to save the new configuration.
CoPilot
-
Backup your Aviatrix Controller. For more information, see Back Up and Restore Your Controller on Controller UI.
-
Apply the security or software patch on the controller. From the Aviatrix Controller, navigate to Settings > Maintenance > SecurityPatches and click on UpdateAvailablePatches. You should see the new patch in the display.
-
Apply the patch by clicking on the icon on the right and selecting Apply Patch from the popup menu.
-
Validate the update by clicking on the icon on the right and selecting Patch Status and scrolling down to bottom of page.
-
Backup your Aviatrix Controller again to save the new configuration.
Acknowledgment
Aviatrix would like to thank Louis Dion-Marcil of Mandiant for the responsible disclosure of this vulnerability. The technical writeup can be found at Google Cloud Blog - Trix Shots: Remote Code Execution on Aviatrix Controller.
Remote Code Execution Vulnerability in Aviatrix Controllers
Date 01/07/2025
CVE # CVE-2024-50603
Risk Rating: CVSS 9.9 (Critical) for Aviatrix Controllers AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Description: A vulnerability could allow an unauthenticated user to execute arbitrary command against Aviatrix Controllers. Aviatrix has seen indications that bad actors are attempting to exploit this vulnerability, and strongly recommends that you take action to protect your controllers.
Impact: A successful attack would allow arbitrary commands to be executed on the controller by an unauthenticated user.
Affected Products: All supported versions of Aviatrix Controller prior to 7.2.4996 or 7.1.4191
Solution: Install security patch CVE-2024-50603 - Critical Vulnerability Security Patch or update the Controller to either 7.1.4191 or 7.2.4996. Additionally, Aviatrix recommends following the Controller IP Access guidance and ensuring that the controller does not have port 443 exposed to the Internet.
To apply the patch, follow the standard procedure for Applying a Security Patch.
In certain circumstances the patch is not fully persistent across controller upgrades and must be re-applied, even if the controller status is displayed as “Patched”. These circumstances are:
|
Acknowledgment:
Aviatrix would like to thank Louis Dion-Marcil of Mandiant for the responsible disclosure of this vulnerability. The technical writeup can be found at Google Cloud Blog - Trix Shots: Remote Code Execution on Aviatrix Controller.
Aviatrix Egress FQDN Firewall Security Misconfiguration
Date 04/02/2024
CVE # CVE-2023-52087
Risk Rating 5.5 (Medium) AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Description
Aviatrix discovered a security issue related to the Aviatrix Egress FQDN Firewall. In prior releases, the firewall would ALLOW traffic on TLS ports for non-TLS traffic or for TLS traffic which did not have SNI headers.
The current release will change the default behavior to DENY for non-TLS traffic.
This is a breaking change from prior releases, so be sure to see the Solutions section of this advisory if this functionality must be preserved.
Impact
Packets that should be blocked by the Egress FQDN Firewall will be allowed through unexpectedly.
Affected Products
All versions before:
-
7.1.3006
-
7.0.2239
-
6.9.822
-
6.8.1826
Solution
If you require allowing non-TLS traffic egress over HTTPS port, perform the following:
-
Aviatrix Controller > Security > Egress Control > 3. Egress FQDN Filer > Global Config (CLICK).
-
ENABLE "non-TLS traffic over HTTPS port" under Global Settings. For release 7.0.2239 and 7.1.3006 this can be done from the Controller UI. For release 6.9.822 or 6.8.1826 this cannot be done from the UI.
-
If you choose to revert back to the old default behavior in release 6.9.822 or 6.8.1826, please contact Aviatrix Support who can help you toggle to ALLOW for this feature.
Since the non-TLS traffic using HTTPS port (tcp/443) is not logged in the syslog messages, there is no way to detect (in prior releases) this kind of traffic on the Aviatrix Controller/CoPilot UI.
Aviatrix Egress FQDN Firewall High-Availability Security Misconfiguration
Date 04/02/2024
CVE # CVE-2023-52087
Risk Rating 5.5 (Medium) AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Description
If an Aviatrix Egress FQDN HA gateway is launched after an Egress FQDN tag is attached to the main gateway, then the HA gateway is launched in non-enforcing mode. The non-enforcing setting is clearly visible on the Controller UI. In this configuration, when the primary drops, the secondary will not enforce as expected.
Impact
The secondary Egress FQDN Firewall may come up in non-enforcing mode. This will potentially allow traffic through the Egress FQDN Firewall unexpectedly.
Affected Products
All versions before:
-
7.1.3006
-
7.0.2239
-
6.9.822
-
6.8.1826
Solution
-
If you are running affected Aviatrix software releases and have existing HA Egress Firewall Gateways, temporarily remove the Egress FQDN Filter tag from the primary gateway and then re-add it.
-
If you are running affected Aviatrix software releases and creating new HA Egress Firewall Gateways, create the HA gateway before assigning an Egress FQDN Filter tag.
-
The latest Aviatrix software revisions have resolved this issue and no action is needed.
Remote Code Execution
Date 05/27/2022
Risk Rating AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)
Description Several vulnerabilities could be combined by an attacker to abuse a Gateway command mechanism that would allow arbitrary remote code execution. This vulnerability is not known to be exploited.
Impact An unauthenticated attacker to run arbitrary commands against Aviatrix gateways.
Affected Products Aviatrix Controller and Gateways.
- Solution: Upgrade your controller and gateway software to:
-
-
6.4.3057
-
6.5.3233
-
6.6.5612
-
6.7.1185
-
Post-Auth Remote Code Execution
Date 04/11/2022
Risk Rating High
Description TLDAP APIs contain functions that are inappropriately sanitized, and would allow an authenticated malicious user to inject arbitrary commands.
Impact A local user to the controller UI could execute arbitrary code.
Affected Products Aviatrix Controller.
- Solution: Upgrade your controller and gateway software to:
-
-
6.4.3049
-
6.5.3166
-
6.6.5545
-
Aviatrix Controller and Gateways - Privilege Escalation
Date 02/03/2022
Risk Rating Medium
Description The publicly disclosed CVE-2021-4034 and CVE-2022-0185 are local privilege escalation vulnerabilities disclosed in the past two weeks. When successfully executed, an attack exploiting these vulnerabilities can cause a local privilege escalation giving unprivileged users administrative rights on the target machine. The Aviatrix Gateway, Controller, and Copilot are all running vulnerable versions of the Linux packages. However, in order to successfully exploit these vulnerabilities, an attacker requires local access to our systems and no vulnerability known to us today would allow such attack.
Impact A local user to our appliances can escalate his privileges to root.
Affected Products Aviatrix Controller and Gateways.
- Solution
-
-
Upgrade Copilot to Release 1.6.3.
-
Apply security patch [AVI-2022-0001 - CVE-2021-4034 and CVE-2022-0185 Privilege Escalation Patches] to controllers.
-
Aviatrix Controller and Gateways - Unauthorized Access
Date 11 Nov 2022
Risk Rating High for Gateways, medium for Controller.
Description On the Aviatrix Controller, a successful attack would allow an unauthenticated remote attacker partial access to configuration information and allow them to disrupt the service. On the gateway, a successful attack would allow an unauthenticated network-adjacent attacker (i.e.: an attacker present on the gateway’s VPC) access to its API.
Impact Access to configuration information and disruption of service.
Affected Products Aviatrix Controller, Gateways and Copilot.
- Solution Upgrade your controller and gateway software to
-
-
6.4.2995 or later.
-
6.5.2898 or later.
-