CVE-2024-50603

Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test. Vendor/Product: Aviatrix Controllers. Added to CISA KEV 2025-01-16; required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.