Security Alert: Command Injection Vulnerability in Array Networks AG Series
Overview of the Vulnerability
The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has issued a critical advisory regarding a command injection vulnerability in the Array Networks AG Series secure access gateways. This flaw has been actively exploited in Japan since August 2025, allowing attackers to breach internal networks by deploying web shells. The advisory was revised on December 5, 2025, highlighting the ongoing severity of the situation.
Understanding the Flaw
The vulnerability is rooted in the DesktopDirect feature of the AG Series. This remote desktop access tool was intended to facilitate secure connections for users accessing their office resources. Although Array Networks addressed the issue quietly on May 11, 2025, the absence of a publicly available CVE identifier and the number of unpatched devices have left a large vulnerability surface for potential attackers.
According to JPCERT, “Exploitation of this vulnerability could allow attackers to execute arbitrary commands.” Notably, systems utilizing the DesktopDirect feature are particularly vulnerable, and having this feature enabled is essential for successful exploitation.
Attack Patterns and Origins
JPCERT documented that since August 2025, several organizations in Japan have faced intrusions tied to this critical security gap. Attackers have used techniques such as embedding PHP-based web shells in specific paths like “/webapp/”, facilitating persistent remote access.
Interestingly, all malicious traffic has been traced back to a single IP address: 194.233.100[.]138. However, the identity and agenda of the threat actors behind this activity remain unknown, with further details on their tools and methodologies yet to be disclosed.
No Connection to Previous Vulnerabilities
This newly identified command injection vulnerability operates independently of a previously exploited issue in the same product line, which is identified as CVE-2023-28461. Rated with a high-severity score of CVSS 9.8, the earlier vulnerability was exploited in 2024 by the cyber-espionage group known as MirrorFace, which has a history of targeting Japanese institutions.
While both vulnerabilities affect similar systems, JPCERT has stressed that there is currently no evidence linking the command injection attacks to MirrorFace or any activity connected to CVE-2023-28461.
Affected Versions and Updates Required
The command injection vulnerability impacts all versions of ArrayOS prior to 9.4.5.9, particularly those that support the DesktopDirect feature. Array Networks has released an updated firmware version, ArrayOS 9.4.5.9, designed to rectify this security flaw. Users are strongly encouraged to update their systems promptly to mitigate risks.
JPCERT also cautioned administrators that rebooting the devices after applying this patch could lead to the loss of crucial log files, which are vital for investigating potential intrusions. Therefore, preserving these logs prior to system updates or reboots is recommended.
Recommended Workarounds
For organizations that are unable to implement the firmware update immediately, Array Networks recommends temporary mitigation strategies:
-
Disable DesktopDirect Services: If the DesktopDirect feature is not actively being used, it should be disabled to reduce vulnerability exposure.
-
Implement URL Filtering: Organizations should consider implementing URL filtering to block requests containing semicolons (“;”), which are commonly used in command injection techniques.
These precautionary measures serve to help minimize exposure until a timely patch can be applied.
Vigilance Recommended
In light of these developments, JPCERT has urged all users of affected Array Networks products to closely monitor their systems for any signs of compromise. Reported malicious activities linked to this vulnerability include the installation of web shells, creation of unauthorized user accounts, and additional internal intrusions initiated via the compromised AG gateways. As security threats evolve, staying informed and proactive becomes essential in safeguarding sensitive information.
