Critical Security Flaw CVE-2023-28461 Identified in Array Networks VPN Solutions

CISA Flags Critical Vulnerability in Array Networks Products: Immediate Action Required

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a stark warning regarding a newly identified security flaw, CVE-2023-28461, affecting Array Networks’ AG and vxAG series devices. This vulnerability, classified as an Improper Authentication Vulnerability, poses a significant risk for organizations relying on these systems for secure application delivery and VPN solutions.

Specifically, the flaw impacts devices running ArrayOS AG version 9.4.0.481 and earlier, allowing attackers to bypass authentication and execute arbitrary code remotely. CISA’s advisory indicates that a malicious actor could exploit this vulnerability through a specially crafted HTTP request, potentially gaining unauthorized access to sensitive files or executing harmful commands on the SSL VPN gateway.

The implications of this vulnerability are severe. With a Common Vulnerability Scoring System (CVSS) rating of 9.8, it highlights the potential for attackers to compromise the confidentiality, integrity, and availability of affected systems. The Exploit Prediction Scoring System (EPSS) estimates a 0.32% likelihood of exploitation within the next month, a figure that, while seemingly low, could escalate quickly given the widespread use of these networking devices.

Array Networks has acknowledged the issue and urged users to apply available patches or discontinue the use of vulnerable versions. As businesses increasingly depend on VPNs for remote access, addressing vulnerabilities like CVE-2023-28461 is critical to maintaining robust cybersecurity defenses.

Organizations are advised to act swiftly to mitigate risks associated with this vulnerability, ensuring the security of their internal communications and sensitive data.