JPCERT/CC has confirmed that a command injection vulnerability in Array Networks AG Series secure access gateways has been actively exploited since August 2025. The alert, released this week, warns organizations to take immediate protective measures.
The vulnerability, which has not yet received a CVE identifier, was addressed by Array Networks on May 11, 2025. It exists in DesktopDirect, a remote desktop access solution enabling users to securely connect to their work computers from any location.
Potential Impact
JPCERT/CC noted that successful exploitation could allow attackers to execute arbitrary commands on affected systems. The vulnerability specifically affects systems where the DesktopDirect feature is enabled.
Japanese authorities have confirmed incidents where the flaw was leveraged to deploy web shells on vulnerable devices. The attacks reportedly originated from the IP address 194.233.100[.]138. Details on the scale of attacks, methods used, and threat actors remain unclear.
Related Historical Exploits
A prior authentication bypass vulnerability in DesktopDirect (CVE-2023-28461, CVSS score: 9.8) was exploited in 2024 by the China-linked cyber espionage group MirrorFace, which has targeted Japanese organizations since at least 2019. However, there is currently no evidence linking the same group to the ongoing attack campaign.
Affected Versions and Mitigation
The vulnerability affects ArrayOS versions 9.4.5.8 and earlier. Array Networks released a patched version, ArrayOS 9.4.5.9, to resolve the issue. Users are strongly advised to update to the latest version immediately.
For environments where patching is not immediately possible, JPCERT/CC recommends disabling DesktopDirect services and implementing URL filtering to block access to URLs containing a semicolon, which may help reduce risk.
Found this article interesting? Follow us on Twitter , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
