Date of Disclosure: March 15, 2023
Date Reported as Actively Exploited (source): November 25, 2024
CVE-2023-28461 is a remote code execution vulnerability in Array Networks’ AG and vxAG Series SSL VPN gateways running ArrayOS AG versions 9.4.0.481 and earlier. This flaw allows unauthenticated attackers to execute remote code by exploiting a specific attribute in an HTTP header, enabling them to browse the filesystem on the SSL VPN gateway.
Recent reports indicate that Chinese threat actors, notably the group known as Earth Kasha (also referred to as MirrorFace), have been actively exploiting this vulnerability. They have historically targeted high-profile organizations in the advanced technology and government sectors in Japan, Taiwan, and India.
CISA has added CVE-2023-28461 to its Known Exploited Vulnerabilities catalog, urging organizations to apply the necessary patches immediately. Additionally, Array Networks has shared site commands that can be used to mitigate this vulnerability in this advisory.
| Field |
Details |
| CVE-ID |
CVE-2023-28461 – CVSS 9.8 (critical) – assigned by NVD |
| Vulnerability Description |
Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. |
| Date of Disclosure |
March 15, 2023 |
| Affected Assets |
Array Networks Array AG Series and vxAG running the vulnerable version of Array OS AG. |
| Vulnerable Software Versions |
ArrayOS AG 9.4.0.481 and earlier versions. |
| PoC Available? |
No PoC was available at the time of writing. |
| Exploitation Status |
This vulnerability was added to CISA KEV on November 25, 2024. Trend Micro reported that this vulnerability has been exploited in the wild by Earth Kasha. |
| Patch Status |
Array Networks released a security advisory with patches available for download and site commands that can be used to mitigate the vulnerability. |
Censys Perspective
At the time of writing, Censys observed 3,427 routable Array Networks AG/vxAG Series VPNs online. A third of these (33%) are geolocated in the United States. Note that not all of these are necessarily vulnerable, as specific versions are not available.
While we observed 3,427 Array Networks AG/vxAG Series VPN devices, further analysis revealed that the large majority of these hosts returned HTTP status codes such as 403 Forbidden or 502 Bad Gateway, indicating that access was blocked rather than fully exposed.
Map of Publicly Routable Array Networks AG/vxAG Series VPNs:
Censys Search Query:
services.http.response.headers: (key: 'Set-Cookie' and value.headers:'*ANsession*') OR services.tls.certificates.leaf_data.issuer.organizational_unit="AG Product" OR services.http.response.html_tags:'*AG_PROXY_ID*'
Censys ASM Query:
host.services.http.response.headers: (key: 'Set-Cookie' and value.headers:'*ANsession*') OR host.services.tls.certificates.leaf_data.issuer.organizational_unit="AG Product" OR host.services.http.response.html_tags:'*AG_PROXY_ID*'
References
