CVE-2023-28461
published 2023-03-15CVE-2023-28461: Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2024-12-16
Exploited in the wild
EPSS
67.64%
99.2th percentile
Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arraynetworks | arrayos_ag | <= 9.4.0.481 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP requests containing a 'flags' attribute in the HTTP header targeting the SSL VPN gateway without authentication. ↗
- →Monitor for PHP webshell file creation under the path /ca/aproxy/webapp/ on Array AG/vxAG devices. ↗
- →Use URL filtering to block access to URLs containing a semicolon as a workaround for the command injection vector. ↗
- →Monitor for suspicious PowerShell logs, unauthorized communications with VSCode domains, and unusual sandbox activity as post-exploitation indicators associated with MirrorFace (Earth Kasha) leveraging CVE-2023-28461. ↗
- →Audit process creation on Windows hosts to detect when Windows Sandbox is launched and what configuration file was used, as MirrorFace uses Windows Sandbox to execute LODEINFO malware while evading host-based AV. ↗
- →Block or alert on inbound connections from IP 194.233.100[.]138, identified as the attack origin and C2 communication address in active exploitation incidents. ↗
- ·Mitigation commands provided by the vendor may negatively impact Client Security functionality, the VPN client's ability to auto-upgrade, and the Portal User Resource function — test before deploying. ↗
- ·The fixed version for the JPCERT-tracked command injection variant is ArrayOS AG 9.4.5.9; the original CVE-2023-28461 RCE was patched in Array AG release 9.4.0.484. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability
cisa·2024-11-25·CVSS 9.8
CVE-2023-28461 [CRITICAL] CWE-306 Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability
Vulnerability: Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability
Affected: Array Networks AG/vxAG ArrayOS
Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf ; https://nvd.nist.gov/vuln/detail/CVE-2023-28461
Remediation Due Date: 2024-12-16
GHSA
GHSA-pj35-hgmm-7fgg: Array Networks Array AG Series and vxAG (9
ghsa_unreviewed·2023-03-16
CVE-2023-28461 [CRITICAL] CWE-287 GHSA-pj35-hgmm-7fgg: Array Networks Array AG Series and vxAG (9
Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."
VulnCheck
Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-28461 [CRITICAL] CWE-306 Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability
Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability
Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway.
Affected: Array Networks AG/vxAG ArrayOS
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cybereason.com/blog/cuckoo-spear-analyzing-noopdoor; https://www.trendmicro.com/en_us/research/24/k/lodeinfo-campaign-of-earth-kasha.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/ho
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Hackers are exploiting ArrayOS AG VPN flaw to plant webshells
blogs_bleepingcomputer·2025-12-04
Hackers are exploiting ArrayOS AG VPN flaw to plant webshells
## Hackers are exploiting ArrayOS AG VPN flaw to plant webshells
## Bill Toulas
Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users.
Array Networks fixed the vulnerability in a May security update, but has not assigned an identifier, complicating efforts to track the flaw and patch management.
An advisory from Japan's Computer Emergency and Response Team (CERT) warns that hackers have been exploiting the vulnerability since at least August in attacks targeting organizations in the country.
The agency reports that the attacks originate from the IP address 194.233.100[.]138, which is also used for communications.
“In the incidents confirmed by JPCERT/CC, a command was executed attempting to place
Bleepingcomputer
MirrorFace hackers targeting Japanese govt, politicians since 2019
blogs_bleepingcomputer·2025-01-09·CVSS 9.8
[CRITICAL] MirrorFace hackers targeting Japanese govt, politicians since 2019
## MirrorFace hackers targeting Japanese govt, politicians since 2019
## Bill Toulas
The National Police Agency (NPA) and the Cabinet Cyber Security Center in Japan have linked a cyber-espionage campaign targeting the country to the Chinese state-backed "MirrorFace" hacking group.
The campaign has been underway since 2019 and is still ongoing, while the Japanese investigators have observed distinct phases with differentiation of targets and attack methods.
In all cases, the primary goal is to steal information on valuable and advanced Japanese technology and gather national security intelligence.
MirrorFace, also known as "Earth Kasha," was previously observed by ESET conducting attacks on Japanese politicians before elections, using phishing emails to deploy a credential stealer dubb
Bleepingcomputer
Hackers exploit critical bug in Array Networks SSL VPN products
blogs_bleepingcomputer·2024-11-26·CVSS 9.8
CVE-2023-28461 [CRITICAL] Hackers exploit critical bug in Array Networks SSL VPN products
## Hackers exploit critical bug in Array Networks SSL VPN products
## Bill Toulas
America's cyber defense agency has received evidence of hackers actively exploiting a remote code execution vulnerability in SSL VPN products Array Networks AG and vxAG ArrayOS.
The security issue is tracked as CVE-2023-28461 and has been assigned a critical 9.8 severity score and the agency has included it to the catalog of Known Exploited Vulnerabilities (KEV).
The bug can be exploited through a vulnerable URL and is an improper authentication issue that allows remote code execution in Array AG Series and vxAG version 9.4.0.481 and earlier.
"(CVE-2023-28461 is) […] a web security vulnerability that allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway using flags att
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT und gezielte Angriffe
## Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro Nov 19, 2024 Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024 .
Possible Cracked Version of Cobalt Strike
In the early incidents above, Earth Kasha also used Cobalt Strike. Like other adversaries, Cobalt Strike is designed to be executed only in memory. In this case, Earth Kasha used a shellcode loader written in Go, which
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT & Targeted Attacks
# Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro
2024/11/19
Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024.
## Introduction
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. While some vendors suspect that the actor using LODEINFO might be APT10, we don’t have enough evidence to fully support t
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT & Targeted Attacks
## Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro Nov 19, 2024 Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024 .
Possible Cracked Version of Cobalt Strike
In the early incidents above, Earth Kasha also used Cobalt Strike. Like other adversaries, Cobalt Strike is designed to be executed only in memory. In this case, Earth Kasha used a shellcode loader written in Go, which we
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT y ataques dirigidos
## Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro Nov 19, 2024 Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024 .
Possible Cracked Version of Cobalt Strike
In the early incidents above, Earth Kasha also used Cobalt Strike. Like other adversaries, Cobalt Strike is designed to be executed only in memory. In this case, Earth Kasha used a shellcode loader written in Go, which w
Trendmicro
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
blogs_trendmicro·2024-11-19
Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
APT & Targeted Attacks
## Spot the Difference: Earth Kasha's New LODEINFO Campaign And The Correlation Analysis With The APT10 Umbrella
LODEINFO is a malware used in attacks targeting mainly Japan since 2019. Trend Micro has been tracking the group as Earth Kasha. We have identified a new campaign connected to this group with significant updates to their strategy, tactics, and arsenals.
By: Trend Micro 2024/11/19 Read time: ( words)
Save to Folio
This blog is based on a presentation by the authors at Virus Bulletin 2024 .
Possible Cracked Version of Cobalt Strike
In the early incidents above, Earth Kasha also used Cobalt Strike. Like other adversaries, Cobalt Strike is designed to be executed only in memory. In this case, Earth Kasha used a shellcode loader written in Go, which we d
https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdfhttps://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdfhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28461
2023-03-15
Published
2024-11-25
Added to CISA KEV
Exploited in the wild