America’s Cyber Protection Company has acquired proof of hackers actively exploiting a distant code execution vulnerability in SSL VPN merchandise Array Networks AG and vxAG ArrayOS.
The safety problem is tracked as CVE-2023-28461 and has been assigned a essential 9.8 severity rating and the company has included it to the catalog of Identified Exploited Vulnerabilities (KEV).
The bug might be exploited via a weak URL and is an improper authentication problem that enables distant code execution in Array AG Sequence and vxAG model 9.4.0.481 and earlier.
“(CVE-2023-28461 is) […] a web security vulnerability that allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway using flags attribute in HTTP header without authentication,” the seller says in a safety bulletin.
The flaw was disclosed final yr on March 9 and Array Networks mounted it a couple of week later with launch of Array AG launch 9.4.0.484.
Array Networks AG Sequence ({hardware} home equipment) and vxAG Sequence (digital home equipment) are SSL VPN merchandise supply safe distant and cellular entry to company networks, enterprise purposes, and cloud companies.
In keeping with the seller, they’re utilized by over 5,000 clients worldwide, together with enterprises, service suppliers, and authorities businesses.
CISA has not offered any particulars on who’s profiting from the vulnerability and focused organizations however added it to the Identified Exploited Vulnerabilities (KEV) catalog “based on evidence of active exploitation.”
The company recommends that every one federal businesses and significant infrastructure organizations both apply safety updates and accessible mitigations by December 16 or cease utilizing the product.
Safety updates for the impacted merchandise can be found via the Array help portal. The seller additionally offers within the safety advisory a set of instructions to mitigate the vulnerability if updates can’t be put in instantly.
Nevertheless, organizations ought to first check the impact of the instructions as they could have a unfavourable influence on the performance of Shopper Safety, the VPN shopper’s capacity to improve mechanically, and the Portal Person Useful resource perform.
