Critical Command Injection Vulnerability Exploited in Array Networks AG Series
A significant security flaw has been identified in Array Networks’ AG Series secure access gateways, specifically within the DesktopDirect feature. This vulnerability, which allows for command injection, has been actively exploited since August 2025, as reported by the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC).
Vulnerability Details
The DesktopDirect feature enables users to remotely access their work computers securely. However, a command injection vulnerability within this feature permits attackers to execute arbitrary commands on the affected systems. This flaw impacts systems running ArrayOS versions 9.4.5.8 and earlier. Array Networks addressed this issue on May 11, 2025, by releasing ArrayOS version 9.4.5.9.
Exploitation and Impact
JPCERT/CC has confirmed that, since August 2025, attackers have exploited this vulnerability to deploy web shells on vulnerable devices in Japan. These attacks have been traced back to the IP address 194.233.100[.]138. The deployment of web shells provides attackers with persistent remote access, enabling them to execute further malicious activities.
Historical Context
This incident is not isolated. In the previous year, an authentication bypass vulnerability in the same product, identified as CVE-2023-28461 with a CVSS score of 9.8, was exploited by a China-linked cyber espionage group known as MirrorFace. This group has a history of targeting Japanese organizations since at least 2019. However, there is currently no evidence linking MirrorFace to the recent exploitation of the DesktopDirect vulnerability.
Mitigation Measures
To protect against potential threats, users are strongly advised to update their systems to ArrayOS version 9.4.5.9 or later. If immediate patching is not feasible, it is recommended to disable the DesktopDirect service and implement URL filtering to block access to URLs containing a semicolon, as per JPCERT/CC’s guidance.
Conclusion
The exploitation of this command injection vulnerability underscores the critical importance of timely software updates and vigilant network monitoring. Organizations utilizing Array Networks’ AG Series gateways should take immediate action to secure their systems and prevent unauthorized access.
