CVE-2025-2171: Aviatrix Controller Password Reset PIN Brute-Force Vulnerability

Aviatrix Controller is vulnerable to a brute-force attack on its password reset PIN functionality due to a lack of rate limiting. This allows attackers to potentially gain unauthorized access to accounts.

Vulnerability Details

• CVE ID: CVE-2025-2171
• Description: Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 do not enforce rate limiting on password reset attempts, allowing adversaries to brute force guess the 6-digit password reset PIN.
• CVSS Score: 7.8 (High)
• CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
• CVSS Explanation: This vulnerability has a High severity because it allows a remote, unauthenticated attacker to potentially compromise the confidentiality and availability of the system. While integrity is only impacted lowly, the ease of exploitation and potential impact make it a significant risk. A proof-of-concept exploit exists.
• Exploit Requirements: The attacker needs network access to the Aviatrix Controller and the ability to make multiple password reset requests.
• Affected Vendor: Aviatrix
• Affected Product: Aviatrix Controller
• Affected Versions: Prior to 7.1.4208, 7.2.5090, and 8.0.0
• CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts
• CWE Explanation: CWE-307 describes a flaw where a system doesn't limit the number of login attempts. This allows attackers to repeatedly try different passwords or PINs until they find the correct one. In this case, the lack of rate limiting makes it easy to brute-force the password reset PIN.

Timeline of Events

• Reported: Unknown
• Patched: June 2025 (approximate)
• CVE Assigned: 2025-06-23

Exploitability & Real-World Risk

The vulnerability is highly exploitable due to the lack of rate limiting. A motivated attacker could write a script to rapidly attempt all possible 6-digit PIN combinations. Successful exploitation allows an attacker to reset a user's password, potentially leading to account takeover and unauthorized access to sensitive resources managed by the Aviatrix Controller.

Given the potential impact on cloud infrastructure security, this vulnerability poses a significant risk to organizations using vulnerable versions of Aviatrix Controller.

Recommendations

Upgrade Aviatrix Controller to versions 7.1.4208, 7.2.5090, or 8.0.0, or later, which include rate limiting for password reset attempts. Implement network access controls to restrict access to the Aviatrix Controller management interface.

Technical Insight

The vulnerability stems from the absence of a mechanism to limit the number of password reset attempts within a specific timeframe. By implementing rate limiting, the system could prevent attackers from rapidly guessing PINs, making a brute-force attack infeasible.

Credit to Researcher(s)

Mandiant

References

• Google Cloud Threat Intelligence Blog
• Mandiant Vulnerability Disclosure

Tags

CVE-2025-2171, Aviatrix, Controller, Password Reset, Brute-Force, Rate Limiting, Cloud Security

Summary: Aviatrix Controller versions before 7.1.4208, 7.2.5090, and 8.0.0 are vulnerable to brute-force attacks on the password reset PIN due to a lack of rate limiting. An attacker could potentially gain unauthorized access to accounts. Upgrade to the latest version to mitigate the risk.

CVE ID: CVE-2025-2171

Risk Analysis: Successful exploitation could lead to unauthorized access to user accounts and compromise cloud infrastructure managed by the Aviatrix Controller.

Recommendation: Upgrade to Aviatrix Controller versions 7.1.4208, 7.2.5090, or 8.0.0, or later. Implement network access controls.

Timeline

• 2025-06-23: CVE assigned (estimated)

References

• https://cloud.google.com/blog/topics/threat-intelligence/remote-code-execution-aviatrix-controller
• https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0003.md