A command injection vulnerability in Array Networks AG Series secure access gateways continues to see exploitation in the wild since August 2025, according to an alert issued by JPCERT/CC this week.
Root Cause in DesktopDirect
The vulnerability, which does not have a CVE identifier, surfaced because of issues in Array’s DesktopDirect, a remote desktop access solution that allows users to securely access their work computers from any location. The company issued a fix on May 11, 2025.
“Exploitation of this vulnerability could allow attackers to execute arbitrary commands,” JPCERT/CC said. “This vulnerability affects systems where the ‘DesktopDirect’ feature, which provides remote desktop access, is enabled.”
Furthermore, the agency confirmed incidents in Japan involving threat actors who exploited the shortcoming after August 2025 to drop web shells on susceptible devices. These attacks originate from the IP address “194.233.100[.]138.”
At this stage, no details clarify the scale of the attacks, the methods used to weaponize the flaw, or the identities of the threat actors exploiting it.
However, an authentication bypass flaw in the same product (CVE-2023-28461, CVSS score: 9.8) saw active exploitation last year by a China-linked cyber espionage group known as MirrorFace, which has targeted Japanese organizations since at least 2019. That said, no evidence currently suggests that the threat actor links to the latest attack spree.
Recommended Mitigations
The vulnerability impacts ArrayOS versions 9.4.5.8 and earlier, and the company resolved the issue in ArrayOS 9.4.5.9. JPCERT/CC urges users to apply the latest updates as soon as possible to mitigate potential threats. If patching is not an immediate option, the agency recommends disabling DesktopDirect services and using URL filtering to deny access to URLs containing a semicolon.
Source: TheHackerNews
Read more at Impreza News
