A critical command injection vulnerability in Array Networksโ ArrayOS AG systems is being actively exploited, with confirmed attacks on Japanese organizations since August 2025.
According to JPCERT/CC, attackers are using this flaw to install webshells and maintain persistent access to enterprise networks, signaling a serious escalation in targeting VPN infrastructure.
About the Vulnerability
The issue exists in the DesktopDirect feature of Array AG series, which allows remote desktop access. This command injection vulnerability lets attackers run arbitrary commands on vulnerable systems without valid credentials.
Although Array Networks released a patched version (9.4.5.9) in May 2025, unpatched systems continue to be exploited, particularly in Japanese enterprises.
Affected Systems
- ArrayOS AG version 9.4.5.8 and earlier
- Systems with DesktopDirect enabled
This creates a broad attack surface, as many organizations rely on Array Networks VPNs for critical remote access.
How Attackers Operate
Investigations by JPCERT/CC revealed:
- Deployment of PHP webshells in /ca/aproxy/webapp/
- Creation of unauthorized user accounts
- Internal network reconnaissance using compromised devices
A single source IP (194.233.100.138) was linked to attack traffic, suggesting centralized command and control operations.
Attackers have established fallback access mechanisms to maintain presence even if credentials change or vulnerabilities are patched.
Mitigation Steps
- Upgrade immediately to ArrayOS AG 9.4.5.9. Test carefully, as patching requires system reboots and may result in log loss.
- Interim measures for organizations unable to patch immediately:
- Disable DesktopDirect if not needed
- Block URLs containing semicolon characters, commonly used in command injection attacks
- Investigate current systems for compromise:
- Check for unexpected user accounts
- Analyze the /ca/aproxy/webapp/ directory for webshell artifacts
- Review network logs for connections from the malicious IP
Leave A Comment