The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a now-patched but high-severity vulnerability affecting Array Networks AG’s vxAG ArrayOS to its Known Exploited Vulnerabilities (KEV) catalog.
The move follows reports of active exploitation in the wild.
The flaw, identified as CVE-2023-28461 and rated 9.8 on the CVSS scale, arises from a missing authentication for a critical vulnerability within vxAG ArrayOS, the operating system that powers Array AG and vxAG series SSL VPN gateways.
Successful exploitation of the flaw could allow unauthenticated attackers to gain access, potentially compromising sensitive data or the entire network.
This could pose significant risks to government systems and the private sector.
“Array AG/vxAG remote code execution vulnerability enables attackers to browse the filesystem or execute remote code on the SSL VPN gateway using a flag attribute in HTTP headers without authentication. The product can be exploited via a vulnerable URL,” Array Networks stated in a support page.
This vulnerability mainly affects ArrayOS AG 9.4.0.481 and earlier versions. However, it does not impact AVX, APV, ASF, and AG/vxAG (running ArrayOS AG 10.x versions) series products.
Array Networks addressed the flaw with the release of ArrayOS AG version 9.4.0.484 in March 2023.
The network hardware vendor strongly recommends that organizations update their affected devices to this version immediately.
Array Networks has provided temporary mitigation measures for organizations that cannot implement the fix immediately.
These involve disabling functionalities like Client Security, VPN client automatic upgrades, and Portal User Resources, along with setting up blacklist rules to block malicious traffic.
More detailed instructions for these workarounds are available on the Array Networks support portal.
Evidence of active exploitation of this vulnerability has led CISA to mandate Federal Civilian Executive Branch (FCEB) agencies to apply the patches by December 16, 2024, to mitigate the risk.
