Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a now-patched critical security flaw impacting Array Networks AG and vxAG secure access gateways to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. The vulnerability, tracked as CVE-2023-28461 (CVSS score: 9.8), concerns a case of missing authentication that
Analysis Summary
# Main Topic
CISA's addition of CVE-2023-28461, a critical, actively exploited vulnerability in Array Networks AG and vxAG secure access gateways, to the Known Exploited Vulnerabilities (KEV) catalog.
## Key Points
- **Vulnerability Identified:** CVE-2023-28461, a critical flaw with a CVSS score of 9.8.
- **Nature of Flaw:** Missing authentication vulnerability that allows remote attackers to execute arbitrary code.
- **Exploitation Mechanism:** Allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway by using the `flags` attribute in an HTTP header, requiring no authentication.
- **Patch Availability:** Fixes were released by Array Networks in March 2023 (version 9.4.0.484).
## Threat Actors
- **Earth Kasha (aka MirrorFace):** A China-linked cyber espionage group reported to be exploiting this vulnerability (CVE-2023-28461) for initial access.
- **Motivation/Targeting:** Earth Kasha is known for extensive targeting of Japanese entities, though they have also been observed attacking Taiwan, India, and Europe.
## TTPs
- **Initial Access:** Exploiting CVE-2023-28461 on public-facing enterprise products.
- **Technique:** Remote Code Execution (RCE) via manipulated HTTP headers (specifically the `flags` attribute) without prior authentication.
- **Payload Example:** An Earth Kasha campaign was noted using the upcoming World Expo 2025 lure to deliver a backdoor known as ANEL against an unnamed diplomatic entity in the EU.
## Affected Systems
- **Technology:** Array Networks AG and vxAG secure access gateways (SSL VPN gateways).
- **Fix Version:** Patch version 9.4.0.484 (released March 2023).
## Mitigations
- **Mandatory Remediation:** Federal Civilian Executive Branch (FCEB) agencies are recommended to apply patches by December 16, 2024.
- **General Action:** Organizations using affected Array Networks devices must immediately apply the vendor-released security fixes.
## Conclusion
CVE-2023-28461 represents a high-severity, known-exploited vulnerability facilitating remote code execution on Array Networks infrastructure. Given active exploitation by sophisticated groups like Earth Kasha, immediate patching is critical for all affected organizations to prevent compromise.