A command injection vulnerability in Array Networks AG Series VPN appliances is being actively exploited by attackers to deploy webshells and create unauthorized user accounts. The flaw affects ArrayOS AG version 9.4.5.8 and earlier, impacting both physical hardware and virtual appliances that have the 'DesktopDirect' remote access feature enabled. Although the vendor released a fix in version 9.4.5.9 during a May security update, the lack of an assigned CVE identifier has complicated patching efforts and threat tracking.
Japan's CERT (JPCERT/CC) has confirmed that attacks exploiting this vulnerability have been occurring since at least August 2025, primarily targeting organizations in Japan. The attackers use a specific IP address to execute commands that place a PHP webshell on the compromised device's file system. With over 1,800 instances of ArrayAG devices exposed online, mostly in China, Japan, and the United States, the potential attack surface is significant.
If immediate patching is not possible, administrators are advised to disable the DesktopDirect service if it is not required or implement URL filtering to block requests containing semicolons. This incident highlights the ongoing risk posed by unpatched network perimeter devices, especially when vulnerabilities lack clear public identifiers to aid in defensive coordination.
Read more...