Hackers Actively Exploiting ArrayOS AG VPN Vulnerability to Deploy Webshells
Summary:
A command injection flaw in Array Networks AG Series gateways has been under exploitation since August 2025, according to a new advisory from JPCERT/CC. The flaw, which has yet to be assigned a CVE number, resides in the DesktopDirect function of the Array AG series, a feature that provides remote desktop access. An attacker exploiting the flaw could execute arbitrary commands. In the attacks observed by JPCERT/CC, the vulnerability has been weaponized to install PHP webshells, create unauthorized user accounts, and establish footholds for lateral movement.
Security Officer Comments:
Exploitation involves targeting the DesktopDirect interface by sending specially crafted requests with command sequences that exploit semicolon characters in URLs. This allows attackers to break command boundaries and execute unauthorized instructions. In cases confirmed by JPCERT/CC, a command was executed attempting to install a PHP file webshell in a path containing “/webapp/, “ enabling remote command execution. The webshell deployed, acts as a backdoor, allowing actors to maintain persistent access, facilitate data exfiltration, and pivot deeper into the targeted network.
Suggested Corrections:
Attack traffic has been traced back to the following IP: 194[.]233[.]100[.]138, which organizations should effectively block on their firewall.
Array Networks recommends updating to a version that fixes this vulnerability: ArrayOS AG 9.4.5.9.
Note: rebooting the product after applying the fixed version may result in the loss of logs.
If you are unable to apply the fixed version, Array Networks has provided the following workarounds:
https://cybersecuritynews.com/hackers-exploiting-arrayos-ag-vpn-vulnerability/
A command injection flaw in Array Networks AG Series gateways has been under exploitation since August 2025, according to a new advisory from JPCERT/CC. The flaw, which has yet to be assigned a CVE number, resides in the DesktopDirect function of the Array AG series, a feature that provides remote desktop access. An attacker exploiting the flaw could execute arbitrary commands. In the attacks observed by JPCERT/CC, the vulnerability has been weaponized to install PHP webshells, create unauthorized user accounts, and establish footholds for lateral movement.
Security Officer Comments:
Exploitation involves targeting the DesktopDirect interface by sending specially crafted requests with command sequences that exploit semicolon characters in URLs. This allows attackers to break command boundaries and execute unauthorized instructions. In cases confirmed by JPCERT/CC, a command was executed attempting to install a PHP file webshell in a path containing “/webapp/, “ enabling remote command execution. The webshell deployed, acts as a backdoor, allowing actors to maintain persistent access, facilitate data exfiltration, and pivot deeper into the targeted network.
Suggested Corrections:
Attack traffic has been traced back to the following IP: 194[.]233[.]100[.]138, which organizations should effectively block on their firewall.
Array Networks recommends updating to a version that fixes this vulnerability: ArrayOS AG 9.4.5.9.
Note: rebooting the product after applying the fixed version may result in the loss of logs.
If you are unable to apply the fixed version, Array Networks has provided the following workarounds:
- If you are not using the DesktopDirect feature, disable all DesktopDirect services
- Use a URL filter to deny access to URLs that contain ";".
https://cybersecuritynews.com/hackers-exploiting-arrayos-ag-vpn-vulnerability/