Hackers are exploiting ArrayOS AG VPN flaw to plant webshells

Recorded: Dec. 5, 2025, 1:02 a.m.

Original

News

Featured
Latest

Critical React, Next.js flaw lets hackers execute code on servers

North Korea lures engineers to rent identities in fake IT worker scheme

CISA warns of Chinese "BrickStorm" malware attacks on VMware servers

Marquis data breach impacts over 74 US banks, credit unions

Hackers are exploiting ArrayOS AG VPN flaw to plant webshells

NCSC's ‘Proactive Notifications’ warns orgs of flaws in exposed devices

Predator spyware uses new infection vector for zero-click attacks

Russia blocks FaceTime and Snapchat for alleged use by terrorists

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityHackers are exploiting ArrayOS AG VPN flaw to plant webshells

Hackers are exploiting ArrayOS AG VPN flaw to plant webshells

By Bill Toulas

December 4, 2025
06:05 PM
0

Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users.
Array Networks fixed the vulnerability in a May security update, but has not assigned an identifier, complicating efforts to track the flaw and patch management.
An advisory from Japan's Computer Emergency and Response Team (CERT) warns that hackers have been exploiting the vulnerability since at least August in attacks targeting organizations in the country.
The agency reports that the attacks originate from the IP address 194.233.100[.]138, which is also used for communications.
“In the incidents confirmed by JPCERT/CC, a command was executed attempting to place a PHP webshell file in the path /ca/aproxy/webapp/,” reads the bulletin (machine translated).
The flaw impacts ArrayOS AG 9.4.5.8 and earlier versions, including AG Series hardware and virtual appliances with the ‘DesktopDirect’ remote access feature enabled.
JPCERT says that Array OS version 9.4.5.9 addresses the problem and provides the following workarounds if updating is not possible:
If the DesktopDirect feature is not in use, disable all DesktopDirect services
Use URL filtering to block access to URLs containing a semicolon
Array Networks AG Series is a line of secure access gateways that rely on SSL VPNs to create encrypted tunnels for secure remote access to corporate networks, applications, desktops, and cloud resources.
Typically, they are used by large organizations and enterprises that need to facilitate remote or mobile work.
Macnica’s security researcher, Yutaka Sejiyama, reported on X that his scans returned 1,831 ArrayAG instances worldwide, primarily in China, Japan, and the United States.
The researcher verified that at least 11 hosts have the DesktopDirect feature enabled, but cautioned that the possibility of more hosts with DesktopDirect active is significant.

“Because this product’s user base is concentrated in Asia and most of the observed attacks are in Japan, security vendors and security organizations outside Japan have not been paying close attention,” Sejiyama told BleepingComputer.
BleepingComputer contacted Array Networks to ask whether they plan to publish a CVE-ID and an official advisory for the actively exploited flaw, but a reply was not available by publication time.
Last year, CISA warned about active exploitation targeting CVE-2023-28461, a critical remote code execution in Array Networks AG and vxAG ArrayOS.

Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Get the guide

Related Articles:
CISA warns of Lanscope Endpoint Manager flaw exploited in attacksNew Windows zero-day exploited by 11 state hacking groups since 2017Google fixes two Android zero days exploited in attacks, 107 flawsD-Link warns of new RCE flaws in end-of-life DIR-878 routersNew WrtHug campaign hijacks thousands of end-of-life ASUS routers

Actively Exploited
Array Networks
Command Injection
Japan
Remote Desktop Services
Vulnerability

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Popular Stories

ChatGPT is down worldwide, conversations disappeared for users

Marquis data breach impacts over 74 US banks, credit unions

North Korea lures engineers to rent identities in fake IT worker scheme

Sponsor Posts

Overdue a password health-check? Audit your Active Directory for free

Hackers love the holidays! Share FREE Security Awareness Training to keep family & friends cyber-safe!

AI is a data-breach time bomb: Read the new report

Empowering IT teams with intelligence driven cyber threat research.

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Hackers are actively exploiting a command injection vulnerability within ArrayOS AG VPN devices, specifically versions 9.4.5.8 and earlier, to deploy webshells and establish unauthorized user accounts. This activity, reported by Japan’s Computer Emergency Response Team (JPCERT/CC), has been ongoing since at least August 2025, with a significant concentration of attacks originating from the IP address 194.233.100[.]138, also utilized for communication. The attackers are targeting hosts utilizing the “DesktopDirect” remote access feature, which is commonly found in Array OS Series hardware and virtual appliances facilitating secure remote access to corporate networks.

The initial vector of attack leverages a command injection flaw within the webapp path /ca/aproxy/webapp/, resulting in the placement of a PHP webshell file. This vulnerability’s presence highlights a potential security gap in Array Networks’ VPN offering, particularly for organizations relying on this technology for secure remote access. At the time of the reporting, researcher Yutaka Sejiyama of Macnica’s security research team, identified over 1,831 instances of ArrayAG globally, predominantly in China, Japan, and the United States. Sejiyama’s scans revealed that at least 11 hosts active with the DesktopDirect feature, indicating a potential for wider exposure.

The ongoing exploitation underscores a critical concern, especially considering the reliance of Array Networks’ AG Series VPN solutions by large organizations and enterprises. These gateways, based on SSL VPNs, typically provide encrypted tunnels to protect sensitive corporate resources such as networks, applications, desktops, and cloud services. Detection of this vulnerability within a product that supports this critical connectivity function means organizations face potential compromises in their security posture.

Notably, Array Networks had addressed this vulnerability in version 9.4.5.9, but the continuous exploitation emphasizes the need for prompt patching and implementation of security best practices. The JPCERT/CC recommends a workaround if upgrading is not immediately feasible: disabling all DesktopDirect services or employing URL filtering to block access to URLs containing semicolons.

The situation is complicated by the lack of a CVE ID assigned by Array Networks, making tracking and remediation efforts more challenging. Further complicating the response is Sejiyama’s observation that security teams outside Japan had not closely monitored this product’s user base, contributing to the prolonged vulnerability window.

This incident reinforces the importance of organizations to remain vigilant and proactive in identifying and mitigating potential vulnerabilities in their critical infrastructure components. Furthermore, it highlights the need for robust vulnerability management programs that encompass timely patching, continuous monitoring, and thorough security assessments. The absence of a CVE ID underscores the need for manufacturers to promptly publish vulnerability information and provide clear guidance to their user base, particularly regarding critical flaws that are actively being exploited. The exploit presents a potential risk to users of ArrayOS AG VPN series devices.