ArrayOS 9.4.5.9 security update for command injection
Security Patch Release
Summary
Hide ▲
Show ▼
Array Networks issued ArrayOS 9.4.5.9 to fix a command injection issue affecting ArrayOS 9.4.5.8 and earlier, closing a path to arbitrary command execution on exposed AG Series secure access gateways. The fix applies to systems where DesktopDirect is enabled, which is the feature tied to the exposed remote-access surface. Operators that cannot patch immediately are advised to disable DesktopDirect and use URL filtering as a temporary safeguard.
Related Happenings
Array AG Series VPN exploitation wave targeting Japan
Exploitation Wave
First: 05.12.2025 01:05
Last: 05.12.2025 01:05
Sources 1
About this happening:
**Array AG Series VPN devices** are seeing **active exploitation** against **organizations in Japan**, with abuse observed **since at least August**. Attackers are using a **comma...
Array AG Series VPN exploitation wave targeting Japan
Exploitation WaveAbout this happening: **Array AG Series VPN devices** are seeing **active exploitation** against **organizations in Japan**, with abuse observed **since at least August**. Attackers are using a **comma...
Timeline
-
05.12.2025 07:40 2 articles · 5mo ago
ArrayOS 9.4.5.9 security update for command injection
Initial DisclosureOn **May 11, 2025**, **Array Networks** addressed a **command injection** flaw in **ArrayOS** by releasing **9.4.5.9** for **AG Series secure access gateways**. The fix covered **ArrayOS 9.4.5.8 and earlier** and targeted the **DesktopDirect** exposure path.
Show sources
- JPCERT Confirms Active Command Injection Attacks on Array AG Gateways — thehackernews.com — 05.12.2025 07:40
- JPCERT Confirms Active Command Injection Attacks on Array AG Gateways — thehackernews.com — 05.12.2025 07:40