CVE-2021-40870

CRITICAL KEV NUCLEI

Aviatrix Controller <6.5-1804.1922 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-40870 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 18, 2022. EIP tracks 6 public exploits from researchers including 0xAgun, orangmuda, JoyGhoshs. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2021-40870, an unrestricted file upload vulnerability in Aviatrix Controller, allowing unauthenticated RCE via directory traversal. It uploads a PHP shell and verifies its presence.

Description

An issue was discovered in Aviatrix Controller 6.x before 6.5-1804.1922. Unrestricted upload of a file with a dangerous type is possible, which allows an unauthenticated user to execute arbitrary code via directory traversal.

Exploits (6)

nomisec WORKING POC 15 stars
by 0xAgun · remote
https://github.com/0xAgun/CVE-2021-40870

This PoC exploits CVE-2021-40870, an unrestricted file upload vulnerability in Aviatrix Controller, allowing unauthenticated RCE via directory traversal. It uploads a PHP shell and verifies its presence.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Aviatrix Controller 6.x before 6.5-1804.1922
No auth needed
Prerequisites: Python 3.x · requests library · urllib3 library · target URL with trailing slash
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by orangmuda · remote
https://github.com/orangmuda/CVE-2021-40870

This exploit leverages a path traversal vulnerability in Aviatrix to write arbitrary PHP code to a file on the target system, enabling remote code execution (RCE). The PoC sends a crafted POST request to create a malicious PHP file and then verifies its existence via a GET request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Aviatrix (version not specified)
Auth required
Prerequisites: Authenticated access to the Aviatrix application · Network access to the target URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by JoyGhoshs · remote
https://github.com/JoyGhoshs/CVE-2021-40870

This PoC exploits CVE-2021-40870, an unrestricted file upload vulnerability in Aviatrix, allowing an authenticated user to execute arbitrary PHP code by uploading a malicious file. The script sends a crafted POST request to create a PHP file in a writable directory and verifies its presence via a GET request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Aviatrix (version not specified)
Auth required
Prerequisites: Authenticated access to the Aviatrix application · Network access to the target URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by System00-Security · remote
https://github.com/System00-Security/CVE-2021-40870

This PoC exploits CVE-2021-40870, an unrestricted file upload vulnerability in Aviatrix, allowing an authenticated user to upload a malicious PHP file and achieve remote code execution (RCE). The script sends a crafted POST request to create a PHP file in a writable directory and verifies its existence via a GET request.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Aviatrix (version not specified)
Auth required
Prerequisites: Authenticated access to the Aviatrix application · Network access to the target URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/thomsdev/cve-2021-40870

The repository contains a functional Python exploit for CVE-2021-40870, which allows an authenticated user to execute arbitrary PHP code on Aviatrix systems via a path traversal vulnerability in the 'set_metric_gw_selections' action.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Aviatrix
Auth required
Prerequisites: authenticated access to the Aviatrix system · network access to the target URL
devstral-2 · analyzed Feb 23, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/byteofjoshua/cve-2021-40870

The repository contains a functional Python exploit for CVE-2021-40870, which allows an authenticated user to execute arbitrary PHP code on Aviatrix systems via a path traversal vulnerability in the 'set_metric_gw_selections' action.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Aviatrix (version not specified)
Auth required
Prerequisites: Authenticated access to the Aviatrix system · Target URL with scheme (e.g., https://avaitix.target.com)
devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

Aviatrix Controller 6.x before 6.5-1804.1922 - Remote Command Execution
CRITICALby pikpikcu
Shodan: http.title:"aviatrix cloud controller"
FOFA: title="aviatrix cloud controller"

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.9426
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-01-18
VulnCheck KEV 2021-12-21
InTheWild.io 2021-12-21
ENISA EUVD EUVD-2021-28025
CWE
CWE-23
Status published
Products (1)
aviatrix/controller 6.2 - 6.2.2043
Published Sep 13, 2021
KEV Added Jan 18, 2022
Tracked Since Feb 18, 2026