JPCERT Confirms Active Command Injection Attacks on Array AG Gateways

JPCERT Confirms Active Command Injection Attacks on Array AG Gateways

JPCERT/CC has confirmed active exploitation of a command injection vulnerability in Array Networks AG Series gateways since August 2025. The flaw, patched on May 11, 2025, allows arbitrary command execution via the DesktopDirect remote access feature.

Why This Matters

The vulnerability exposes systems with DesktopDirect enabled to attackers who can inject commands to deploy web shells, compromising device integrity. While JPCERT notes no confirmed scale of current attacks, the flaw’s similarity to a prior high-severity vulnerability (CVE-2023-28461, CVSS 9.8) exploited by a China-linked group underscores the risk of unpatched systems. Failure to mitigate could lead to persistent access and data exfiltration.

Key Insights

• “Confirmed incidents since August 2025 involving IP 194.233.100[.]138”: JPCERT/CC alert (2025).
• “Command injection over secure access protocols”: Exploits in DesktopDirect, a remote desktop solution.
• “Disable DesktopDirect or block semicolons in URLs”: JPCERT mitigation advice for unpatched systems.

Practical Applications

• Use Case: Organizations using Array AG gateways with DesktopDirect must apply ArrayOS 9.4.5.9 or later.
• Pitfall: Leaving DesktopDirect enabled without URL filtering increases exposure to command injection attacks.

References:

• https://thehackernews.com/2025/12/jpcert-confirms-active-command.html