CISA warns of hackers exploiting critical bug in Array Networks SSL VPN products
Take action: If you are using Array Network AG or vxAG appliances, and haven't patched them since March 2023, it's high time to patch immediately. These devices are exposed to the internet by design. You can mitigate some of the issues via the blacklist commands, but at a price of functionality. Don't be lazy, apply the patches.
Learn More
CISA and Array Networks warn of a critical security vulnerability in their SSL VPN products (AG Series and vxAG Series) actively being exploited by threat actors.
This flaw, tracked as CVE-2023-28461 (CVSS score 9.8), is an authentication bypass vulnerability that enables remote code execution. The vulnerability affects Array AG Series (hardware appliances) and vxAG Series (virtual appliances) running ArrayOS version 9.4.0.481 and earlier.
These products are widely deployed, serving over 5,000 customers globally, including enterprises, service providers, and government organizations, providing secure remote and mobile access to corporate networks, enterprise applications, and cloud services.
The flaw enables attackers to browse the filesystem without authentication, execute remote code on the SSL VPN gateway, exploit the system using flags attribute in HTTP headers and access the system through a vulnerable URL
Array Networks addressed this vulnerability in March 2023 with the release of version 9.4.0.484. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to their Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation in the wild. Federal Civilian Executive Branch (FCEB) agencies have been given until December 16, 2024, to implement the necessary patches.
Recent intelligence from Trend Micro has identified that a Chinese cyber espionage group known as Earth Kasha (also called MirrorFace) has been actively exploiting this vulnerability. While primarily targeting Japanese organizations, the group has also been observed targeting entities in Taiwan, India, and Europe. According to research by VulnCheck, there are currently over 440,000 internet-accessible hosts potentially vulnerable to this exploit.
For organizations unable to immediately update, Array Networks has provided mitigation commands in their security advisory, but they come with caveats to impact certain functionalities.
