CISA Urges Immediate Action on Critical ‘Array Networks’ Vulnerability

• A critical flaw affecting Array Networks AG and vxAG secure access gateways is actively exploited.
• CISA added to its KEV catalog the flaw involving missing authentication permitting arbitrary code execution remotely.
• The vulnerability impacts SSL VPN gateways, and it has been abused by China-linked espionage group Earth Kasha.

A critical flaw affecting Array Networks AG and vxAG secure access gateways was signaled following reports of active exploitation, and agencies are being urged to apply the available patch immediately to mitigate risks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalog. 

Tracked under CVE-2023-28461 with a CVSS score of 9.8, this flaw involves missing authentication that enables attackers to execute arbitrary code remotely. Exploitation allows unauthorized access to browse the file system or execute remote code via the "flags" attribute in HTTP headers. 

The vulnerability impacts SSL VPN gateways, making it particularly critical for secure access solutions. Array Networks released a fix (version 9.4.0.484) in March 2023 to address this issue, but delayed implementation has left systems vulnerable to exploitation.

Cybersecurity company Trend Micro recently revealed that a China-linked espionage group dubbed Earth Kasha (also known as MirrorFace) has been actively exploiting this vulnerability. 

The group, primarily targeting Japanese entities, has expanded its operations to include entities in Taiwan, India, and Europe. They utilize vulnerabilities in public-facing enterprise products like Array AG (CVE-2023-28461), Proself (CVE-2023-45727), and Fortinet FortiOS/FortiProxy (CVE-2023-27997) for their initial access.

Recent campaigns by Earth Kasha include targeting a diplomatic entity in the E.U. using the ANEL backdoor, leveraging the World Expo 2025 in Osaka, Japan, as their lure. Their activity highlights the urgency of securing systems against known vulnerabilities.

Federal Civilian Executive Branch (FCEB) agencies have been instructed to apply the patches by December 16, 2024. However, given the demonstrated potential for active exploitation, organizations are strongly advised to act without delay.

Mitigation recommendations for organizations suggest evaluating exposure, applying patches promptly, enhancing threat visibility, minimizing Internet-facing exposure, and maintaining patch management practices.

Earlier this month, CISA announced critical security flaws in PTZOptics cameras that allow OS command injection and authentication bypass, posing a significant risk.