Vulnerability in Aviatrix Controller

CVE-2025-2171

Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 do not enforce rate limiting on password reset attempts, allowing adversaries to brute force guess the 6-digit password reset PIN

EPSS: 0.003 (55.6th percentile) — read the EPSS interpretation.

Affected products

Aviatrix Controller — versions 7.1.4208, 7.2.5090, 8.0.0

Weakness classification (CWE)

CWE-307 — Improper Restriction of Excessive Authentication Attempts

References

github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0003.md (third-party-advisory)
cloud.google.com/blog/topics/threat-intelligence/remote-code-execution-aviatrix… (technical-description)