Volerion logoVolerion
Volerion logoVolerion

Aviatrix Controller Password Reset Brute Force Vulnerability

Vulnerability

A vulnerability exists in Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0, where rate limiting is not enforced on password reset requests. This oversight allows attackers to brute force the 6-digit password reset PIN, with approximately 888,888 possible combinations. The lack of effective token management creates a window of opportunity for account takeover within 15 minutes of initiating a password reset.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts, including administrative accounts, on the Aviatrix Controller.

Reproduction

To reproduce this vulnerability, initiate a password reset request for an account. Then, use a tool to automate the process of guessing the 6-digit PIN by sending repeated password reset requests. The absence of rate limiting will enable the brute force attack to succeed within the 15-minute validity period of the reset token.

Remediation

Users can update to Aviatrix Controller versions 8.0.0, 7.2.5090, or 7.1.4208 to address this vulnerability.

Added: Jun 23, 2025, 2:23 PM
Updated: Jun 23, 2025, 2:23 PM

Vulnerability Rating

Custom Algorithm
spread
0.3
impact
5.0
exploitability
6.9
remediation
7.7
relevance
0.2
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.