Dec 05, 2025Ravie LakshmananVulnerability / Community Safety
A command injection vulnerability in Array Networks AG Collection safe entry gateways has been exploited within the wild since August 2025, in keeping with an alert issued by JPCERT/CC this week.
The vulnerability, which doesn’t have a CVE identifier, was addressed by the corporate on Could 11, 2025. It is rooted in Array’s DesktopDirect, a distant desktop entry resolution that permits customers to securely entry their work computer systems from any location.
“Exploitation of this vulnerability may permit attackers to execute arbitrary instructions,” JPCERT/CC mentioned. “This vulnerability impacts methods the place the ‘DesktopDirect’ characteristic, which gives distant desktop entry, is enabled.”
The company mentioned it has confirmed incidents in Japan which have exploited the shortcoming after August 2025 to drop net shells on prone gadgets. The assaults have originated from the IP handle “194.233.100[.]138.”
There are at present no particulars accessible on the dimensions of the assaults, weaponizing the flaw, and identification of the menace actors exploiting it.
Nevertheless, an authentication bypass flaw in the identical product (CVE-2023-28461, 9.8) was exploited final yr by a China-linked cyber espionage group dubbed MirrorFace, which has a historical past of focusing on Japanese organizations since no less than 2019. That mentioned, there isn’t a proof to counsel that at this stage the menace actor may very well be linked to the newest assault spree.
The vulnerability impacts ArrayOS variations 9.4.5.8 and earlier, and has been addressed in model ArrayOS 9.4.5.9. Customers are suggested to use the newest updates as quickly as doable to mitigate potential threats. In case patching will not be a direct possibility, it is really useful to disable DesktopDirect providers and use URL filtering to disclaim entry to URLs containing a semicolon, JPCERT/CC mentioned.
