Array Networks AG Series secure access gateways command injection flaw (actively exploited)
Vulnerability
Summary
Hide ▲
Show ▼
Array Networks AG Series secure access gateways are facing an actively exploited command injection flaw in DesktopDirect that can enable arbitrary command execution when the feature is enabled. JPCERT/CC says the abuse has continued since August 2025 and has already led to confirmed web-shell incidents in Japan. Array says the issue was fixed on May 11, 2025 in ArrayOS 9.4.5.9, while ArrayOS 9.4.5.8 and earlier remain affected.
Related Happenings
ArrayOS AG command injection flaw (actively exploited)
Vulnerability
First: 05.12.2025 01:05
Last: 05.12.2025 01:05
Sources 1
About this happening:
A **command injection flaw** in **Array AG Series VPN devices** is being **actively exploited**, enabling attackers to plant **webshells** and create **rogue users** on exposed ap...
ArrayOS AG command injection flaw (actively exploited)
VulnerabilityAbout this happening: A **command injection flaw** in **Array AG Series VPN devices** is being **actively exploited**, enabling attackers to plant **webshells** and create **rogue users** on exposed ap...
Array AG Series VPN exploitation wave targeting Japan
Exploitation Wave
First: 05.12.2025 01:05
Last: 05.12.2025 01:05
Sources 1
About this happening:
**Array AG Series VPN devices** are seeing **active exploitation** against **organizations in Japan**, with abuse observed **since at least August**. Attackers are using a **comma...
Array AG Series VPN exploitation wave targeting Japan
Exploitation WaveAbout this happening: **Array AG Series VPN devices** are seeing **active exploitation** against **organizations in Japan**, with abuse observed **since at least August**. Attackers are using a **comma...
Timeline
-
05.12.2025 07:40 2 articles · 5mo ago
JPCERT/CC warns of active exploitation of Array Networks AG gateways
Initial DisclosureJPCERT/CC said a command injection flaw in Array Networks AG Series secure access gateways, rooted in DesktopDirect, had been exploited in the wild since August 2025, with confirmed incidents in Japan that dropped web shells on susceptible devices; Array Networks had already addressed the flaw on May 11, 2025, and advised upgrading to ArrayOS 9.4.5.9 or, if patching is delayed, disabling DesktopDirect and filtering semicolon-containing URLs.
Show sources
- JPCERT Confirms Active Command Injection Attacks on Array AG Gateways — thehackernews.com — 05.12.2025 07:40
- JPCERT Confirms Active Command Injection Attacks on Array AG Gateways — thehackernews.com — 05.12.2025 07:40