05.12.2025
2 min
411
Threat actors are actively exploiting a command injection vulnerability in Array AG Series VPN devices, allowing them to deploy webshells and create unauthorized user accounts. Although the issue was patched in a May security update, the vendor has not assigned an official identifier, complicating tracking and patch management.
Japan’s CERT reports that attacks have been ongoing since at least August, with the attackers using IP address 194.233.100[.]138 for both exploitation and follow-up communications. Confirmed incidents show attempts to drop a PHP webshell in the directory /ca/aproxy/webapp/.
All ArrayOS AG versions prior to 9.4.5.8 are vulnerable, including both hardware and virtual appliances when the DesktopDirect remote desktop feature is enabled.
CERT advises updating to version 9.4.5.9 immediately. If updating is not possible, organizations should disable DesktopDirect or block semicolon-containing URLs, often used in exploit chains.
Array AG devices are widely used by large enterprises to enable secure remote access. Researchers have identified 1,831 active instances globally, with most located in China, Japan, and the United States. At least 11 hosts have DesktopDirect enabled, but the actual number may be much higher.
The flaw is under active exploitation, yet Array Networks has not released a CVE or formal advisory. This situation poses a significant threat to organizations relying on AG Series devices for secure remote access. Immediate updating and disabling risky features are essential to mitigate ongoing attacks.
