Active exploitation of Array Networks AG Gateway vulnerability

Threat summary

On December 5, JPCERT/CC reported on active exploitation of a vulnerability affecting Array Networks AG Series secure access gateways versions 9.4.5.8 and earlier. This flaw has not yet been assigned a CVE identifier, but Array Networks released a patched version in May 2025 to address the issue.

The affected technology is the Array Networks AG Series secure access gateways, which provide Secure Sockets Layer (SSL) virtual private network (VPN), secure remote desktop access, and mobile access to enterprise applications. The vulnerability resides in the DesktopDirect feature, which allows employees to connect to their office workstations remotely.

In the cases confirmed by JPCERT/CC, threat actors abused HTTP headers to execute commands without authentication, gaining control of the gateway. Exploitation resulted in remote code execution and lateral movement into internal networks. Threat actors have been implanting web shells and maintaining persistence since August 2025, targeting organizations that had not applied the vendor’s patch.

In November 2024, U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a similar flaw, tracked as CVE‑2023‑28461 to its Known Exploited Vulnerabilities catalog, noting active exploitation. Exploitation was linked to China-based state-sponsored threat actor, MirrorFace. There is no evidence that the current campaign is linked to this previous one.

Analyst insight

Exploitation of this flaw does not appear to be complex, requiring only crafted HTTP requests, but could lead to full system compromise, credential theft, and persistent access to victim environments.

Organizations relying on these gateways for secure remote access are advised to confirm that all AG appliances are updated beyond version 9.4.5.9. Network segmentation and strict access controls can reduce the impact of exploitation.

Where patching is delayed, Array Networks has provided the following workarounds for this vulnerability:

• If you are not using the DesktopDirect feature, disable all DesktopDirect services.
• Use a URL filter to deny access to URLs that contain ";"

Field Effect MDR strengthens this defense by detecting early behaviors that indicate compromise, such as anomalous HTTP requests and signs of web shell activity. Field Effect MDR clients would have received an ARO alert identifying any instances vulnerable to the noted flaws, with remediation guidance. 

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up