Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Array AG Series VPN exploitation wave targeting Japan

Exploitation Wave
First reported
Last updated
Happening score
H score 27
1 unique sources, 1 articles

Summary

Hide ▲

Array AG Series VPN devices are seeing active exploitation against organizations in Japan, with abuse observed since at least August. Attackers are using a command injection vulnerability to plant PHP webshells and create rogue users on exposed appliances. The sustained targeting makes the flaw a continuing risk for internet-facing remote-access deployments.

Related Happenings

Array Networks AG Series secure access gateways command injection flaw (actively exploited)

Vulnerability
First: 05.12.2025 07:40 Last: 05.12.2025 07:40 Sources 1

About this happening: **Array Networks AG Series secure access gateways** are facing an **actively exploited command injection flaw** in **DesktopDirect** that can enable **arbitrary command execution*...

Open Happening

ArrayOS 9.4.5.9 security update for command injection

Security Patch Release
First: 05.12.2025 07:40 Last: 05.12.2025 07:40 Sources 1

About this happening: **Array Networks** issued **ArrayOS 9.4.5.9** to fix a **command injection** issue affecting **ArrayOS 9.4.5.8 and earlier**, closing a path to **arbitrary command execution** on...

Open Happening

ArrayOS AG command injection flaw (actively exploited)

Vulnerability
First: 05.12.2025 01:05 Last: 05.12.2025 01:05 Sources 1

How related: Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users.

About this happening: A **command injection flaw** in **Array AG Series VPN devices** is being **actively exploited**, enabling attackers to plant **webshells** and create **rogue users** on exposed ap...

Open Happening

SonicWall SSL VPN access control flaw actively exploited (CVE-2024-40766)

Vulnerability
First: 11.09.2025 19:32 Last: 11.09.2025 19:32 Sources 1

About this happening: **CVE-2024-40766** is a **SonicWall SSL VPN** access control flaw that has been **actively exploited** to breach exposed devices, with **Akira ransomware** tied to the campaign. R...

Latest development: 29.09.2025 12:32

Akira ransomware remains active against SonicWall firewalls, with Arctic Wolf observing dozens of incidents over the past three months tied to CVE-2024-40766 abuse, SSL VPN logins from VPS hosting providers, Impacket SMB activity, and Active Directory discovery. The campaign targets SSL VPN accounts using OTP MFA, and Barracuda separately observed Akira affiliates using Datto RMM, backup agents, and PowerShell to gain control while avoiding security alerts.

Open Happening

Timeline

  1. 05.12.2025 01:05 2 articles · 5mo ago

    JPCERT warns of active ArrayOS AG exploitation

    Initial Disclosure

    JPCERT/CC warned on December 4, 2025 that unknown threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices running ArrayOS AG 9.4.5.8 and earlier, including appliances with DesktopDirect enabled, to plant PHP webshells in /ca/aproxy/webapp/ and create rogue users; the activity has targeted organizations in Japan since at least August, uses 194.233.100[.]138 for communications, and Array OS version 9.4.5.9 plus the documented DesktopDirect and URL-filtering workarounds address the issue. Macnica researcher Yutaka Sejiyama also reported scans showing 1,831 ArrayAG instances worldwide, with at least 11 hosts exposing DesktopDirect.

    Show sources
    Open in new tab