cbcvebase.
CVE-2023-28461
published 2023-03-15

CVE-2023-28461: Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2024-12-16
Exploited in the wild
EPSS
67.64%
99.2th percentile
Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."

Affected

1 ranges
VendorProductVersion rangeFixed in
arraynetworksarrayos_ag<= 9.4.0.481

Detection & IOCsextracted from sources · hover to see the quote

ip194.233.100[.]138
path/ca/aproxy/webapp/
  • Detect exploitation attempts by monitoring HTTP requests containing a 'flags' attribute in the HTTP header targeting the SSL VPN gateway without authentication.
  • Monitor for PHP webshell file creation under the path /ca/aproxy/webapp/ on Array AG/vxAG devices.
  • Use URL filtering to block access to URLs containing a semicolon as a workaround for the command injection vector.
  • Monitor for suspicious PowerShell logs, unauthorized communications with VSCode domains, and unusual sandbox activity as post-exploitation indicators associated with MirrorFace (Earth Kasha) leveraging CVE-2023-28461.
  • Audit process creation on Windows hosts to detect when Windows Sandbox is launched and what configuration file was used, as MirrorFace uses Windows Sandbox to execute LODEINFO malware while evading host-based AV.
  • Block or alert on inbound connections from IP 194.233.100[.]138, identified as the attack origin and C2 communication address in active exploitation incidents.
  • ·Mitigation commands provided by the vendor may negatively impact Client Security functionality, the VPN client's ability to auto-upgrade, and the Portal User Resource function — test before deploying.
  • ·The fixed version for the JPCERT-tracked command injection variant is ArrayOS AG 9.4.5.9; the original CVE-2023-28461 RCE was patched in Array AG release 9.4.0.484.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.