Back to KEVs

CVE-2023-28461

Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN...

Basic Information

CVE State
PUBLISHED
Reserved Date
March 15, 2023
Published Date
March 15, 2023
Last Updated
February 10, 2025
Vendor
n/a
Product
n/a
Description
Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."
Tags
cisa malware ransomware

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2024-11-25 00:00:00 UTC) Source
Used in Malware
Yes (added 2024-11-25 00:00:00 UTC) Source

References

https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-11-25 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Exploit Used in Malware

  • Added to KEVIntel