Critical Vulnerability in Array Networks SSL VPN Products Exploited by Hackers

November 26, 2024

The U.S. Cyber Defense Agency has identified active exploitation of a critical remote code execution vulnerability in SSL VPN products, specifically Array Networks AG and vxAG ArrayOS. This security issue is known as CVE-2023-28461 and it has been assigned a high severity score of 9.8, leading to its inclusion in the catalog of Known Exploited Vulnerabilities (KEV).

The vulnerability can be exploited using a susceptible URL, and it's essentially an improper authentication issue that permits remote code execution in Array AG Series and vxAG version 9.4.0.481 and earlier. The vendor's security bulletin describes the vulnerability as '(CVE-2023-28461 is) […] a web security vulnerability that allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway using flags attribute in HTTP header without authentication.'

This flaw was first disclosed on March 9 of the previous year, and Array Networks deployed a fix roughly a week later with the release of Array AG release 9.4.0.484. Array Networks AG Series (hardware appliances) and vxAG Series (virtual appliances) are SSL VPN products that provide secure access to corporate networks, enterprise applications, and cloud services from remote and mobile locations. The vendor claims that these products are used by over 5,000 customers globally, including enterprises, service providers, and government agencies.

While CISA has not given any specific details about who is exploiting the vulnerability and which organizations are being targeted, it has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog due to 'evidence of active exploitation.' The agency is advising all federal agencies and critical infrastructure organizations to either apply security updates and available mitigations by December 16 or discontinue using the product.

Security updates for the affected products can be found on the Array support portal. The vendor also provides a set of commands in the security advisory to mitigate the vulnerability if the updates cannot be installed immediately. However, organizations are advised to first test the effect of these commands as they may negatively impact the functionality of Client Security, the VPN client's ability to upgrade automatically, and the Portal User Resource function.

Latest News

• GhostSpider: New Addition to Salt Typhoon's Malware Toolkit
• Zyxel Firewalls Exploited in Recent Ransomware Attacks
• Hackers Exploit Avast Anti-Rootkit Driver to Disable Security Defenses
• Russian Hackers Breach U.S. Firm via 'Nearest Neighbor Attack' Using WiFi
• APT-K-47 Utilizes Hajj-Related Deception to Distribute Enhanced Asyncshell Malware