Critical Vulnerability Exploited in Array Networks SSL VPN Products Hackers have been found exploiting a critical vulnerability in Array Networks' SSL VPN products, as confirmed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This vulnerability, identified as CVE-2023-28461, affects both Array AG Series hardware and vxAG virtual appliances running ArrayOS version 9.4.0.481 and earlier. It poses a significant security threat, achieving a severity score of 9.8 out of 10 and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog.

Nature of the Vulnerability

This flaw allows attackers to execute remote code or access the filesystem on the SSL VPN gateway without needing authentication. The issue stems from improper handling of the "flags" attribute in HTTP headers.

Disclosure and Fixes

Originally disclosed on March 9, 2022, Array Networks promptly addressed the vulnerability by releasing an updated version, 9.4.0.484, shortly thereafter.

Impact and Usage

Array Networks' SSL VPN solutions are employed by over 5,000 entities worldwide, including enterprises, service providers, and government agencies.

CISA's Recommendations CISA advises all affected parties, especially federal agencies and critical infrastructure organizations, to apply the necessary security updates or other recommended mitigations by December 16. Guidance for remediation is available via the Array support portal. If immediate upgrades are not feasible, a set of mitigation commands can be used, though these should be tested beforehand to avoid disruptions to functionalities like Client Security and the VPN client's automatic upgrade capabilities. The agency has not disclosed specific information about the entities currently being targeted. However, the inclusion of CVE-2023-28461 in the KEV catalog underscores the threat's seriousness and the need for swift action.

The link has been copied!