Hackers Exploit Critical ArrayOS AG VPN Vulnerability to Deploy Webshells

🎙️ Dive Deeper with Our Podcast!

Cybersecurity researchers have uncovered an ongoing exploitation campaign targeting Array Networks AG Series VPN devices, where threat actors are leveraging an unpatched command injection vulnerability to deploy webshells and establish unauthorized access to corporate networks. The vulnerability, which affects widely-used enterprise VPN infrastructure, has been actively exploited since at least August 2025, raising serious concerns about the security of remote access systems across organizations worldwide.

Understanding the ArrayOS AG VPN Security Flaw

Array Networks identified and addressed a critical command injection vulnerability in its AG Series VPN devices through a security update released in May 2025. However, the company has not assigned a Common Vulnerabilities and Exposures (CVE) identifier to the flaw, creating significant challenges for security teams attempting to track the vulnerability and implement proper patch management procedures.

The vulnerability specifically impacts ArrayOS AG version 9.4.5.8 and all earlier versions, including both AG Series hardware appliances and virtual appliances that have the DesktopDirect remote access feature enabled. This remote access functionality, designed to provide secure connectivity to corporate resources, has become the attack vector that cybercriminals are exploiting to gain unauthorized access to targeted networks.

Active Exploitation Campaign Details

Japan’s Computer Emergency Response Team (JPCERT) has issued an urgent advisory warning organizations about active exploitation attempts originating from a specific IP address: 194.233.100[.]138. Security analysts have confirmed that attackers are using this infrastructure for both initial exploitation and subsequent command-and-control communications with compromised systems.

The attack methodology involves executing commands designed to place PHP webshell files in specific directory paths within the Array VPN infrastructure. JPCERT’s investigation revealed that attackers are specifically targeting the /ca/aproxy/webapp/ directory to establish persistent backdoor access. Once these webshells are successfully deployed, threat actors can execute arbitrary commands, exfiltrate sensitive data, and create rogue administrator accounts that provide long-term access to compromised networks.

Global Impact and Exposure Analysis

Security researcher Yutaka Sejiyama from Macnica conducted comprehensive scanning operations to assess the global exposure of vulnerable ArrayOS AG instances. The research identified approximately 1,831 potentially vulnerable devices distributed across multiple geographic regions, with the highest concentrations found in China, Japan, and the United States.

The analysis revealed that at least 11 verified hosts have the DesktopDirect feature actively enabled, making them immediately vulnerable to exploitation. However, Sejiyama emphasized that the actual number of exposed systems could be significantly higher, as many organizations may not have properly inventoried their VPN infrastructure or disabled unnecessary remote access features.

The geographic concentration of Array Networks products in Asian markets has contributed to a potentially dangerous situation where security organizations and threat intelligence providers in Western regions may not be adequately monitoring exploitation attempts. This regional focus means that many global cybersecurity vendors have not prioritized detection and prevention capabilities for this specific vulnerability.

Critical Implications for Enterprise Security

Array Networks AG Series secure access gateways serve as critical infrastructure components for large organizations and enterprises that depend on SSL VPN technology to facilitate remote and mobile workforce connectivity. These devices create encrypted tunnels that enable secure access to corporate networks, business applications, virtual desktops, and cloud-based resources.

The exploitation of VPN infrastructure represents one of the most severe security risks organizations face because successful compromise provides attackers with legitimate-appearing access to internal networks. Once inside the perimeter, threat actors can move laterally across network segments, escalate privileges, access sensitive data repositories, and potentially deploy ransomware or other destructive malware.

The absence of a CVE identifier compounds the risk by making it difficult for automated vulnerability management systems to detect and prioritize this critical security issue. Organizations relying on CVE-based risk assessment frameworks may not recognize the urgency of updating their Array VPN devices, leaving them exposed to active exploitation.

Recommended Security Measures and Workarounds

Array Networks released version 9.4.5.9 of ArrayOS to address the command injection vulnerability. Organizations operating AG Series VPN devices should prioritize immediate deployment of this security update to eliminate the exploitation vector. However, JPCERT recognizes that immediate patching may not be feasible for all organizations due to operational constraints or change management procedures.

For organizations unable to implement the security update immediately, JPCERT has provided two temporary workarounds to reduce exposure risk. The first recommendation involves disabling all DesktopDirect services if this remote access feature is not actively required for business operations. Many organizations enable remote access features during initial VPN configuration but may no longer need this functionality, making disablement a practical risk reduction strategy.

The second workaround involves implementing URL filtering rules that block access to any URLs containing semicolon characters. This approach targets the specific command injection technique that attackers are using to exploit the vulnerability, providing temporary protection while organizations prepare to deploy the official security update.

Organizations should also conduct thorough security audits of their Array VPN infrastructure to identify any indicators of compromise. Security teams should specifically examine web server directories for suspicious PHP files, review administrator account creation logs for unauthorized additions, and analyze network traffic patterns for connections to known malicious IP addresses associated with this exploitation campaign.

Historical Context and Ongoing VPN Security Concerns

This recent exploitation campaign follows a concerning pattern of attacks targeting Array Networks products. In 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued warnings about active exploitation of CVE-2023-28461, a critical remote code execution vulnerability affecting Array Networks AG and vxAG ArrayOS platforms. The repeated targeting of Array Networks infrastructure demonstrates that cybercriminals view VPN systems as high-value targets that provide strategic access to enterprise networks.

The lack of public CVE assignment for actively exploited vulnerabilities represents a broader challenge in the cybersecurity ecosystem. Without standardized vulnerability identifiers, security teams face difficulties correlating threat intelligence, prioritizing remediation efforts, and ensuring comprehensive coverage across vulnerability management platforms. Array Networks’ decision not to request CVE assignment creates unnecessary obstacles for organizations attempting to protect their infrastructure.

Security professionals should recognize that VPN infrastructure requires the same rigorous security practices applied to other critical systems, including regular security updates, configuration hardening, continuous monitoring for anomalous activity, and regular security assessments. Organizations should maintain detailed inventories of all remote access systems and ensure that security updates are deployed promptly when vendors release critical patches.

Frequently Asked Questions

What is a webshell and why is it dangerous?

A webshell is a malicious script that attackers upload to web servers to gain remote control capabilities. Once installed, webshells allow cybercriminals to execute commands, access sensitive files, modify system configurations, and maintain persistent access to compromised systems. In the context of VPN infrastructure, webshells provide attackers with strategic footholds within enterprise networks that can be used for data theft, ransomware deployment, or lateral movement to additional systems.

How can I determine if my Array VPN system has been compromised?

Organizations should examine the /ca/aproxy/webapp/ directory for unexpected PHP files, review system logs for command execution attempts from suspicious IP addresses (particularly 194.233.100[.]138), audit administrator accounts for unauthorized additions, and monitor network traffic for unusual outbound connections. Implementing file integrity monitoring on critical VPN system directories can help detect unauthorized file modifications or additions that may indicate webshell deployment.

Why hasn’t Array Networks assigned a CVE identifier for this vulnerability?

Array Networks has not publicly explained their decision not to request CVE assignment for this actively exploited vulnerability. This absence complicates vulnerability tracking, patch management prioritization, and threat intelligence correlation for security teams. Organizations concerned about this issue should contact Array Networks directly to request formal vulnerability documentation and advocate for CVE assignment to improve industry-wide security posture.

Are virtual appliances as vulnerable as hardware devices?

Yes, both AG Series hardware appliances and virtual appliances running vulnerable ArrayOS versions with DesktopDirect enabled are susceptible to exploitation. Virtual appliances may actually face higher risk in some environments because they are sometimes deployed rapidly without the same rigorous security configuration reviews applied to physical hardware. Organizations should ensure that all Array VPN instances, regardless of deployment type, receive immediate security updates.

What should organizations do if they cannot immediately patch their systems?

Organizations unable to deploy the security update immediately should implement the recommended workarounds, including disabling DesktopDirect services if not required and implementing URL filtering to block requests containing semicolon characters. Additional protective measures include restricting VPN administrative access to specific trusted IP addresses, implementing enhanced monitoring for suspicious file creation or modification activities, and establishing incident response procedures specifically for potential VPN compromise scenarios.

How does this vulnerability compare to previous Array Networks security issues?

This command injection vulnerability follows similar patterns to CVE-2023-28461, which also enabled remote code execution on Array Networks platforms and was actively exploited in the wild. The recurring nature of critical vulnerabilities in Array Networks products suggests that organizations using this VPN infrastructure should maintain heightened vigilance, prioritize rapid patch deployment, and consider implementing additional security controls such as web application firewalls or intrusion prevention systems to provide defense-in-depth protection.

How Technijian Can Help

At Technijian, we understand the critical importance of securing your organization’s remote access infrastructure against emerging threats like the ArrayOS AG VPN vulnerability. Our comprehensive managed IT security services provide the expertise and proactive monitoring necessary to protect your business from sophisticated exploitation campaigns targeting VPN systems and other critical infrastructure components.

Our cybersecurity specialists conduct thorough vulnerability assessments of your entire IT environment, identifying exposed systems, misconfigured security controls, and potential attack vectors that cybercriminals could exploit. We implement enterprise-grade patch management processes that ensure your VPN appliances, network devices, and server infrastructure receive critical security updates promptly, minimizing your exposure window to known vulnerabilities.

Technijian’s 24/7 security monitoring services detect suspicious activities such as unauthorized file modifications, unusual network traffic patterns, and potential webshell deployments before attackers can establish persistent access to your network. Our security operations center analyzes threat intelligence from global sources to identify emerging exploitation campaigns and proactively protect your infrastructure against the latest attack techniques.

For organizations using Array Networks VPN solutions or other remote access technologies, we provide specialized security hardening services that disable unnecessary features, implement defense-in-depth security controls, and establish continuous monitoring specifically designed to detect VPN-targeted attacks. Our incident response team stands ready to investigate potential compromises, contain active threats, and restore your systems to secure operational status.

Beyond immediate vulnerability remediation, Technijian helps organizations develop comprehensive security strategies that address the full spectrum of remote access risks. We implement zero-trust network access frameworks, multi-factor authentication systems, and network segmentation architectures that limit the potential impact of VPN compromise even if attackers successfully exploit infrastructure vulnerabilities.

Don’t wait until cybercriminals exploit vulnerable VPN infrastructure to gain access to your critical business systems and sensitive data. Contact Technijian today to schedule a comprehensive security assessment and learn how our managed security services can protect your organization from evolving cyber threats. Our team of certified security professionals brings over two decades of experience protecting Orange County and Southern California businesses from sophisticated cyberattacks.

About Technijian

Technijian is a premier Managed IT Services provider in Irvine, specializing in delivering secure, scalable, and innovative AI and technology solutions across Orange County and Southern California. Founded in 2000 by Ravi Jain, what started as a one-man IT shop has evolved into a trusted technology partner with teams of engineers, AI specialists, and cybersecurity professionals both in the U.S. and internationally.

Headquartered in Irvine, we provide comprehensive cybersecurity solutions, IT support, AI implementation services, and cloud services throughout Orange County—from Aliso Viejo, Anaheim, Costa Mesa, and Fountain Valley to Newport Beach, Santa Ana, Tustin, and beyond. Our extensive experience with enterprise security deployments, combined with our deep understanding of local business needs, makes us the ideal partner for organizations seeking to implement security solutions that provide real protection.

We work closely with clients across diverse industries, including healthcare, finance, law, retail, and professional services, to design security strategies that reduce risk, enhance productivity, and maintain the highest protection standards. Our Irvine-based office remains our primary hub, delivering the personalized service and responsive support that businesses across Orange County have relied on for over two decades.

With expertise spanning cybersecurity, managed IT services, AI implementation, consulting, and cloud solutions, Technijian has become the go-to partner for small to medium businesses seeking reliable technology infrastructure and comprehensive security capabilities. Whether you need Cisco Umbrella deployment in Irvine, DNS security implementation in Santa Ana, or phishing prevention consulting in Anaheim, we deliver technology solutions that align with your business goals and security requirements.

Partner with Technijian and experience the difference of a local IT company that combines global security expertise with community-driven service. Our mission is to help businesses across Irvine, Orange County, and Southern California harness the power of advanced cybersecurity to stay protected, efficient, and competitive in today’s threat-filled digital world.