The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed that a command injection vulnerability affecting Array Networks AG Series secure access gateways has been actively exploited in Japan since August 2025. The advisory, updated on December 5, 2025, states that attackers have leveraged the flaw to implant web shells and gain unauthorized access to internal networks.
According to JPCERT, the vulnerability originates in the DesktopDirect feature of the AG Series, Array Networks’ remote desktop access capability designed to help users connect securely to office resources. Although the issue was quietly resolved by the vendor on May 11, 2025, the lack of a public CVE identifier and the continued presence of unpatched devices have left a notable attack surface exposed.
“Exploitation of this vulnerability could allow attackers to execute arbitrary commands,” the advisory states. JPCERT added that systems running DesktopDirect are specifically at risk, emphasizing that the feature enablement is a prerequisite for successful exploitation.
Ongoing Attacks Traced to a Single IP Address
JPCERT reports that organizations in Japan have experienced intrusions tied to this security gap beginning in August 2025. In these incidents, attackers attempted to plant PHP-based web shells in paths containing “/webapp/,” a technique that would provide persistent remote access.
The agency noted that malicious traffic has consistently originated from the IP address 194.233.100[.]138, though the identity and motivations of the threat actors remain unclear. Details regarding the scope of the campaign, the tools deployed beyond web shells, or whether the attackers represent a known threat group have not yet been released.
No Evidence Linking to Past Exploits of CVE-2023-28461
The newly exposed vulnerability exists alongside another previously exploited flaw in the same product line, CVE-2023-28461, a high-severity authentication bypass rated CVSS 9.8. That earlier issue was abused in 2024 by a China-linked espionage group known as MirrorFace, which has targeted Japanese institutions since at least 2019.
Despite the overlap in affected systems, JPCERT emphasized that there is no current evidence connecting the recent command injection attacks with MirrorFace or with prior activity related to CVE-2023-28461.
Affected Versions and Required Updates
The vulnerability impacts ArrayOS AG 9.4.5.8 and earlier versions, all of which support the DesktopDirect functionality. Array Networks issued a fixed release, ArrayOS 9.4.5.9, to address the flaw. The company has advised users to test and deploy the updated firmware as soon as possible.
JPCERT cautioned administrators that rebooting devices after applying the patch may lead to log loss. Because log files are crucial to intrusion investigations, the agency recommends preserving these records before performing any update or system reboot.
Workarounds
For organizations unable to immediately apply the firmware update, Array Networks has provided temporary mitigation steps:
- Disable all DesktopDirect services if the feature is not actively in use.
- Implement URL filtering to block requests containing semicolons (“;”), a common vector used for command injection payloads.
These measures aim to reduce exposure until patching becomes feasible.
In its advisory, JPCERT urged all users of affected products to examine their systems for signs of compromise. Reported malicious activity includes the installation of web shells, the creation of unauthorized user accounts, and subsequent internal intrusions launched through the compromised AG gateways.
