CVE-2023-28461 (CVSS 9.8): Critical Array Networks Vulnerability Added to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-28461, a high-severity security flaw impacting Array Networks AG and vxAG ArrayOS, to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, with a CVSS score of 9.8, underscores the urgent need for organizations to address this actively exploited threat.

CVE-2023-28461 stems from a missing authentication check for a critical function within ArrayOS, the operating system powering Array AG and vxAG series SSL VPN gateways. Successful exploitation allows unauthenticated attackers to remotely read sensitive files and execute arbitrary code on vulnerable devices. This could lead to complete system compromise, data exfiltration, and disruption of essential services.

This vulnerability primarily affects older versions of the software and does not impact Array Networks’ AVX, APV, ASF, or AG/vxAG systems running ArrayOS AG 10.x versions. However, products running ArrayOS AG 9.x versions—specifically 9.4.0.481 and earlier—are vulnerable to exploitation.

Array Networks has released ArrayOS AG version 9.4.0.484 to address this vulnerability. Organizations are strongly advised to update their affected devices to this version immediately.

For organizations unable to immediately implement the patch, Array Networks has provided temporary mitigation measures. These involve disabling specific functionalities, including Client Security, VPN client automatic upgrades, and Portal User Resource, and implementing blacklist rules to filter malicious traffic. Detailed instructions for these workarounds can be found on the Array Networks support portal.

Evidence indicates active exploitation of this vulnerability, prompting CISA to issue a directive for federal agencies to apply fixes and implement countermeasures by December 16, 2024.

Related Posts:

• Apple backports fix for actively exploited 0-day to older macOS and iPhone/iPad devices
• Evil Ant Ransomware Exposed: Flaw Offers Recovery Hope
• Microsoft Deprecates Aging VPN Protocols PPTP and L2TP in Future Windows Server Versions
• Apache HTTP Server Hit by Triple Vulnerabilities – Users Urged to Update
• CISA Adds 12 New Known Actively Exploited Vulnerabilities to its Catalog