A newly exploited command injection vulnerability in Array Networks AG Series VPN devices is being leveraged by threat actors to plant malicious webshells and establish rogue users on compromised systems. Despite Array Networks releasing a fix in a May security update, the lack of a formal vulnerability identifier (like a CVE-ID) is hindering accurate tracking and efficient patch management for affected organizations. This issue impacts devices running ArrayOS AG 9.4.5.8 and earlier versions, specifically when the ‘DesktopDirect’ remote access feature is enabled on the hardware or virtual appliances.
The severity of the issue was highlighted by an advisory from the Japan Computer Emergency and Response Team (JPCERT/CC), which revealed that hackers have been actively exploiting the vulnerability since at least August. The attacks confirmed by JPCERT/CC show a pattern of attempting to place a PHP webshell file in the path proxy webapp through a command execution. The agency has traced the attacks and associated communications to the specific IP address 194.233.100[.]138. This ongoing exploitation emphasizes the urgent need for users to apply the available security updates or implement workarounds.
The recommended solution is to update the affected devices to Array OS version 9.4.5.9. If immediate patching is not possible, JPCERT/CC provides two crucial workarounds. First, if the DesktopDirect feature is not actively in use, users should disable all DesktopDirect services. Second, organizations can employ URL filtering to specifically block access to any URLs that contain a semicolon, as this character is often used in command injection attempts. These measures are critical for defending the Array Networks AG Series, which is a line of secure access gateways typically used by large enterprises to facilitate secure remote access to internal resources via SSL VPNs.
Macnica’s security researcher, Yutaka Sejiyama, reported on his scans that he found 1,831 ArrayAG instances worldwide, with the highest concentrations in China, Japan, and the United States. Sejiyama verified that at least 11 of these hosts had the vulnerable DesktopDirect feature enabled, cautioning that the actual number of exploitable devices is likely much higher. The researcher noted that because the user base for this product is concentrated in Asia and the observed attacks are largely in Japan, security attention from vendors and organizations outside the region has been relatively low.
The ongoing, targeted exploitation of this flaw raises concerns, especially considering that the vendor has not provided a common identifier. The vulnerability’s impact is similar to past security incidents involving Array Networks products; for example, CISA previously issued a warning about the active exploitation of CVE-2023-28461, a critical remote code execution vulnerability in the company’s AG and vxAG ArrayOS products. The lack of a formal advisory and CVE-ID for the current flaw makes it difficult for security teams globally to prioritize and track the threat effectively.
Reference:
