Let's Talk
Let's Talk

Loading...

Blog Details

  • Home
  • /
  • Array AG Gateways Command Injection Exploitation Confirmed

Array AG Gateways Command Injection Exploitation Confirmed

Tudorel Iancu

Executive Summary

On 2025-12-08, CyberHunter_NL released a threat report titled JPCERT Confirms Active Command Injection Attacks on Array AG Gateways. The alert, issued by JPCERT/CC, confirms that a previously unassigned command‑injection vulnerability in Array Networks’ AG Series secure access gateways has been actively exploited in the wild since August 2025. The flaw resides in the DesktopDirect remote‑desktop component, allowing attackers to execute arbitrary system commands on affected devices. The report also highlights the absence of a CVE identifier, the lack of known threat‑actor attribution, and the potential for web‑shell deployment on compromised gateways.

Vulnerability Overview

The vulnerability is present in ArrayOS versions 9.4.5.8 and earlier. It stems from improper input validation in the DesktopDirect feature, which is designed to provide secure remote desktop access to corporate workstations. Attackers can inject malicious commands via specially crafted requests, bypassing authentication and gaining full control of the underlying operating system. The flaw was patched in ArrayOS 9.4.5.9 on May 11, 2025, but the patch has not yet been universally applied.

Exploitation Timeline

According to JPCERT/CC, exploitation began in August 2025, with confirmed incidents in Japan. Attackers have used the IP address 194.233.100.138 to deliver web shells to vulnerable gateways. While the scale of the attacks remains unknown, the use of web shells indicates a high level of persistence and potential for lateral movement within affected networks.

Threat Actor Context

There is no definitive attribution for the current campaign. However, the same product family suffered a separate authentication bypass flaw (CVE-2023-28461, CVSS 9.8) last year, which was exploited by the China‑linked MirrorFace cyber‑espionage group. MirrorFace has a documented history of targeting Japanese organizations since 2019. Although no direct link has been established between MirrorFace and the present command‑injection attacks, the similarity in target selection and exploitation techniques warrants a cautious approach.

Impact Assessment

Array AG Gateways are commonly deployed in industrial control systems, corporate networks, and critical infrastructure environments. Compromise of these devices can lead to unauthorized remote command execution, data exfiltration, and the installation of persistent backdoors. The potential for web shell deployment raises the risk of further exploitation of connected systems, including SCADA, PLCs, and other networked equipment.

Mitigation Recommendations

  • Patch Immediately: Apply ArrayOS 9.4.5.9 or later to all gateways. The patch resolves the command‑injection flaw and includes additional security hardening.
  • Disable DesktopDirect: If patching cannot be performed urgently, disable the DesktopDirect service on all devices. This removes the attack surface associated with remote desktop access.
  • URL Filtering: Implement URL filtering to block access to any URLs containing a semicolon (;) as recommended by JPCERT/CC. This mitigates injection attempts that rely on URL manipulation.
  • Network Segmentation: Isolate gateway devices from critical network segments. Employ VLANs, firewalls, and strict access controls to limit lateral movement.
  • Monitoring and Detection: Deploy IDS/IPS signatures that detect command‑injection payloads and monitor for anomalous outbound traffic from gateways. Log all authentication attempts and alert on repeated failures.
  • Incident Response: Prepare an incident response plan that includes immediate containment, forensic analysis of compromised gateways, and remediation steps. Ensure backups of gateway configurations are available for rapid recovery.

Detection Guidance

Security analysts should look for the following indicators of compromise (IOCs):

  • Outbound connections from Array AG Gateways to unfamiliar external IP addresses, particularly 194.233.100.138.
  • Unexpected creation of web shells or scripts in the gateway’s file system.
  • Suspicious command execution logs, especially those containing shell metacharacters such as &, |, or ;.
  • Failed authentication attempts or anomalous login patterns on DesktopDirect services.

Conclusion

The active exploitation of a command‑injection vulnerability in Array AG Gateways represents a significant threat to organizations that rely on these devices for secure remote access. Immediate patching, service disablement, and network hardening are essential to mitigate the risk. Continuous monitoring and a robust incident response plan will help detect and contain any ongoing attacks before they can compromise critical infrastructure.

For more detailed information, refer to the original report: JPCERT Confirms Active Command Injection Attacks on Array AG Gateways and the associated threat intelligence pulse: AlienVault OTX Pulse.

Leave a Reply

Looking for the Best Cyber Security?

Get A Quote
Get A Quote

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Linkedin Telegram X-twitter WordPress

Company

Quick Link

Contact Us

  • Address: Reithalleweg 3 Wohlen CH
  • Email: support@essgroup.tech
  • Phone:

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading