Attackers are exploiting a command injection vulnerability in ArrayOS AG VPN devices to plant PHP webshells and create rogue users. CISA has added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog. Review this Cybersecurity Threat Advisory to discover recommended actions for protecting your environments and devices.
What is the threat?
The flaw affects ArrayOS AG Series devices running version 9.4.5.8 and earlier when DesktopDirect remote access is enabled. A fix is available in version 9.4.5.9. Japan’s CERT/CC has observed ongoing targeted exploitation in Japan since at least August.
The vulnerability enables remote command execution on affected devices, allowing attackers to upload PHP webshells and to create rogue users. A webshell is a small script that provides attackers with remote control via a web interface.
Why is it noteworthy?
ArrayOS AG VPN devices are widely used by large organizations for secure remote access, with a notable concentration of activity observed in Asia and specifically Japan. This exploit builds on a prior critical vulnerability (CVE-2023-28461) in related ArrayOS/vxAG products, which demonstrated how quickly attackers can abuse authentication weaknesses to gain control. The combination of broad deployment, potential for persistence, and the possibility of lateral movement underscores the urgency of rapid remediation and vigilant monitoring.
What is the exposure or risk?
Attack activity has been concentrated in Japan, but the risk extends to any organization with exposed or unpatched VPN gateways. Compromised devices can lead to webshell deployment, rogue user creation, data exfiltration, VPN disruption, and intrusions into downstream systems. The likelihood of exploitation increases when patches are delayed, the DesktopDirect feature remains enabled, or management interfaces are reachable from insecure networks.
What are the recommendations?
Barracuda strongly recommends the following actions to secure ArrayOS AG Series devices:
- Move all affected devices to version 9.4.5.9 or the latest available from Array Networks.
- Disable DesktopDirect if it is not in use to reduce attack surface.
- Restrict management interfaces to trusted networks, enforce strong credentials, and consider enabling MFA where possible.
- Look for unusual VPN login activity, unauthorized user creation, and signs of webshells; regularly review configurations and maintain an up-to-date firmware inventory.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/
- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-bug-in-array-networks-ssl-vpn-products/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.