Pierluigi Paganini
December 05, 2025
A command injection flaw in Array Networks AG Series gateways, affecting DesktopDirect, has been exploited in the wild since August 2025; it was patched in May 2025.
An attacker can exploit the flaw to execute arbitrary commands.
“The DesktopDirect function of the Array AG series provided by Array Networks contains a command injection vulnerability. An attacker exploiting this vulnerability could execute arbitrary commands. At the time of publishing this information, no CVE number has been assigned to this vulnerability. Array” reads the alert published by JPCERT/CC.
Array’s DesktopDirect is a remote desktop access solution designed to let users securely access their work computers from anywhere. It is commonly used in enterprise environments to provide employees with remote access to their office desktops, applications, and resources while maintaining security through encryption, authentication, and access controls.
The flaw affects ArrayOS AG 9.4.5.8 and earlier versions, the company addressed the flaw on May 11, 2025, with the release of ArrayOS AG 9.4.5.9.
The Japanese agency warns that since August 2025, domestic organizations using Array Networks products have faced attacks exploiting a command injection flaw, involving webshell installation, creation of new users, and internal intrusions. The attack traffic was traced to IP 194.233.100[.]138. Users should review Array Networks guidance and investigate potential compromises.
JPCERT advises organizations using Array Networks AG Series or DesktopDirect to carefully investigate their systems for any signs of intrusion, particularly considering that the vulnerability has been actively exploited since August 2025. Users should implement countermeasures and apply security patches provided by Array Networks or its authorized distributors to mitigate the risk. Where a full patch is not yet feasible, organizations are encouraged to follow any temporary workarounds suggested by the vendor to reduce potential exposure. The overall aim is to detect past breaches, prevent further exploitation, and ensure that remote access systems remain secure.
In November 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the Array Networks AG and vxAG ArrayOS flaw CVE-2023-28461 (CVSS score: 9.8) to its Known Exploited Vulnerabilities (KEV) catalog.
Array Networks’ AG Series and vxAG (versions 9.4.0.481 and earlier) is impacted by a remote code execution vulnerability. Attackers can exploit the SSL VPN gateway by accessing the filesystem via an HTTP header flags attribute and a vulnerable URL without authentication.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Array Networks)
