Full Report
A command injection vulnerability in Array Networks AG Series secure access gateways has been exploited in the wild since August 2025, according to an alert issued by JPCERT/CC this week. The vulnerability, which does not have a CVE identifier, was addressed by the company on May 11, 2025. It's rooted in Array's DesktopDirect, a remote desktop access solution that allows users to securely access
Analysis Summary
# Vulnerability: Command Injection via DesktopDirect in Array AG Gateways
## CVE Details
- CVE ID: Not Assigned (No Public CVE Identifier available)
- CVSS Score: Unknown (No score provided, but impact suggests High severity)
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
## Affected Systems
- Products: Array Networks AG Series secure access gateways
- Versions: ArrayOS versions 9.4.5.8 and earlier
- Configurations: Affects systems where the 'DesktopDirect' feature (remote desktop access solution) is enabled.
## Vulnerability Description
A command injection vulnerability exists within Array's DesktopDirect feature on the AG Series gateways. Successful exploitation allows an unauthenticated or authenticated attacker (depending on context, but exploitation in the wild suggests remote access) to execute arbitrary operating system commands on the underlying system.
## Exploitation
- Status: Exploited in the wild since August 2025. Confirmed incidents involve dropping web shells.
- Complexity: Likely Low, given exploitation in the wild shortly after the underlying component was known.
- Attack Vector: Network (Remote exploitation).
## Impact
- Confidentiality: High (Arbitrary command execution can lead to data exfiltration).
- Integrity: High (Arbitrary command execution allows system modification).
- Availability: High (Web shell deployment suggests potential for denial of service or persistent unauthorized access).
## Remediation
### Patches
- The vendor addressed the flaw on May 11, 2025.
- **Fix Version:** ArrayOS version 9.4.5.9 and later.
### Workarounds
1. Disable the 'DesktopDirect' services entirely.
2. Implement URL filtering to deny access to URLs containing a semicolon (`;`), which is often necessary for command injection payload delivery in this context.
## Detection
- **Indicators of Compromise (IOCs):** Confirmed exploitation involves dropping web shells. Monitor for unexpected file creation or modification within web-accessible directories on the gateway.
- **Detection Methods and Tools:** Monitor network traffic for payloads attempting to inject commands, specifically looking for use of shell metacharacters (like `;`, `|`, `&`) toward the vulnerable component endpoint. (Attacks originated from IP `194.233.100[.]138`).
## References
- Vendor Advisory: Addressed on May 11, 2025 (Specific Advisory Link not provided).
- JPCERT/CC Alert: [https://www.jpcert.or.jp/at/2025/at250024.html](https://www.jpcert.or.jp/at/2025/at250024.html) (Defanged for summary format).