The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding the active exploitation of a critical remote code execution (RCE) vulnerability, CVE-2023-28461, in Array Networks’ Access Gateway (AG) and Virtual Secure Access Gateway (vxAG) products. According to reports, over 440,000 internet-exposed hosts globally could be vulnerable to attacks, highlighting the widespread impact of the issue. Exploitation activity has been observed targeting government agencies and organizations in the advanced technology sector.
| Product | Array Networks |
| Date | 2024-11-28 10:11:20 |
| Information |
|
Technical Summary
CVE-2023-28461 is a critical vulnerability with a CVSS score of 9.8 that allows attackers to bypass authentication and execute arbitrary code or explore the SSL VPN gateway file system by manipulating the flags attribute in HTTP headers.
Affected Products:
- Array Networks AG/vxAG products running ArrayOS AG version 9.x.
Attack Campaigns:
- The vulnerability has been exploited by Earth Kasha (linked to the APT10 group), along with other flaws such as CVE-2023-45727 and CVE-2023-27997, targeting organizations in Japan, Taiwan, and India. Attackers used the vulnerability to install backdoors such as Cobalt Strike, LodeInfo, and NoopDoor to maintain persistence and move laterally within compromised networks.
Patch Availability:
- Array Networks released a patch in version ArrayOS AG 9.4.0.484, announced in March 2023.
Recommendations
Immediate Patching:
- Update to ArrayOS AG version 9.4.0.484 or later via the Array Networks support portal.
- Federal agencies must comply with CISA’s Binding Operational Directive (BOD) 22-01 and apply the patch by December 16.
Network Hardening:
- Restrict access to SSL VPN gateways to trusted IP addresses and networks only.
- Use firewalls or VPNs to reduce exposure.
- Monitor logs for suspicious activity, such as unauthorized access or execution attempts.
Advanced Threat Detection:
- Search for Indicators of Compromise (IoCs) such as the presence of Cobalt Strike, LodeInfo, or NoopDoor.
- Use Endpoint Detection and Response (EDR) tools to identify suspicious activity associated with APT threats.
[Callforaction-THREAT-Footer]
