THE CORTEX PROTOCOL
🏠Home🚨Threats🧠Insights📚Books
🔴 HIGHnews

ArrayOS AG VPN Flaw Enables Webshell Deployment and RCE

Category:Threat Alerts
An unassigned command injection vulnerability in Array Networks' ArrayOS AG VPN gateways is being exploited in the wild to plant PHP webshells and create rogue admin users on AG Series appliances. What's concerning: the flaw affects ArrayOS AG 9.4.5.8 and earlier when the 'DesktopDirect' remote access feature is enabled—attackers execute commands to drop webshells in /ca/aproxy/webapp/, establishing persistent backdoor access. Japan's JPCERT/CC confirmed attacks since at least August originating from 194.233.100.138, targeting organizations primarily in Japan. Array Networks patched in version 9.4.5.9 but never assigned a CVE identifier, complicating vulnerability tracking and patch management. Researchers found 1,831 ArrayAG instances globally, with at least 11 confirmed running vulnerable DesktopDirect. This mirrors last year's CVE-2023-28461 exploitation pattern—Array VPN appliances remain high-value enterprise targets.

🎯CORTEX Protocol Intelligence Assessment

Business Impact: Active exploitation of ArrayOS AG VPN devices gives attackers a direct foothold at the network edge, enabling credential theft, stealthy lateral movement, and staging for ransomware or data exfiltration. Organizations relying on AG Series gateways for remote access face heightened risk of material incidents and regulatory fallout if compromised VPN appliances are used to reach sensitive internal systems.

Strategic Intelligence Guidance

  • Identify all Array Networks AG Series appliances, confirm ArrayOS versions, and upgrade to 9.4.5.9 or later wherever DesktopDirect or public portal access is enabled.
  • Disable the DesktopDirect feature entirely if it is not business critical, and in the interim apply URL filtering rules to block suspicious requests with semicolons or other command-injection indicators.
  • Hunt for signs of compromise on AG devices by checking for unexpected PHP files under /ca/aproxy/webapp/, unknown admin accounts, and anomalous CLI commands issued via web sessions.
  • Reassess VPN appliance security posture by restricting access to management and portal interfaces, integrating logs into SIEM, and including VPNs in regular external attack-surface scans.

Vendors

Array Networks

Threats

ArrayOS AG command injectionVPN webshell deployment

Targets

enterprise VPN gatewaysArrayOS AG Series appliancesremote access infrastructure

Tags

#array-networks#vpn-vulnerability#webshell#command-injection#remote-access-security#vulnerabilities-exploits
Intelligence Source: ArrayOS AG VPN Flaw Enables Webshell Deployment and RCE | Dec 5, 2025
More stories in Vulnerabilities & Exploits