A newly disclosed command injection vulnerability in Array Networks AG Series VPN devices is being actively exploited to deploy PHP webshells and create rogue user accounts.
Key Details
- Vulnerability: Impacts ArrayOS AG 9.4.5.8 and earlier, specifically when the DesktopDirect remote access feature is enabled.
- Fix: Addressed in ArrayOS 9.4.5.9 (released May 2025). No CVE identifier has been assigned yet, complicating tracking and patch management.
- Exploitation timeline: Attacks observed since August 2025, primarily targeting organizations in Japan.
- Observed activity:
- Attackers executed commands to place PHP webshells in
/ca/aproxy/webapp/. - Exploitation traffic traced to IP 194.233.100[.]138, also used for attacker communications.
- Attackers executed commands to place PHP webshells in
- Exposure: Research scans found 1,831 ArrayAG instances worldwide, concentrated in China, Japan, and the U.S. At least 11 hosts confirmed with DesktopDirect enabled.
Workarounds (if patching not possible)
- Disable DesktopDirect services if unused.
- Apply URL filtering to block requests containing semicolons (
;), which are used in injection payloads.
Why It Matters
- SSL VPN gateways like Array AG are high-value targets: they provide direct access to corporate networks, applications, and cloud resources.
- Webshells allow persistent remote control, lateral movement, and data theft.
- Lack of a CVE and limited vendor communication increases the risk of organizations overlooking the flaw.
- Similar exploitation was seen last year with CVE-2023-28461, another critical RCE in ArrayOS.
Defensive Recommendations
- Update immediately to ArrayOS 9.4.5.9 or later.
- Audit VPN appliances for signs of compromise:
- Unexpected PHP files in
/ca/aproxy/webapp/. - Rogue user accounts.
- Suspicious outbound traffic to 194.233.100[.]138.
- Unexpected PHP files in
- Restrict exposure:
- Disable unused features like DesktopDirect.
- Limit VPN access to trusted IPs.
- Monitor logs for command injection attempts and anomalous requests containing semicolons.
- Incident response: If compromise is suspected, isolate the device, reimage with patched firmware, rotate credentials, and review network logs for lateral movement.
Final Thought
This case highlights how VPN appliances remain prime targets for attackers, especially when legacy features like DesktopDirect are enabled. Organizations should treat SSL VPNs as critical infrastructure, patch aggressively, and monitor for exploitation artifacts.
Leave a Reply