Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chinese Hackers Exploiting Critical Vulnerability in Array Networks Gateways

CISA warns about attacks exploiting CVE-2023-28461, a critical vulnerability in Array Networks AG and vxAG secure access gateways.

The US cybersecurity agency CISA on Monday warned of the in-the-wild exploitation of a critical-severity vulnerability in Array Networks’ Array AG and vxAG secure access gateway products.

The issue, tracked as CVE-2023-28461 (CVSS score of 9.8), is described as a remote code execution (RCE) flaw that “allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway using flags attribute in HTTP header without authentication.”

An attacker could exploit the vulnerability against Array AG/vxAG products running a vulnerable iteration of ArrayOS AG 9.x. In March 2023, the US-based networking hardware maker Array Networks announced (PDF) that patches for the bug were included in ArrayOS AG version 9.4.0.484, available for download through its support portal.

Last week, Trend Micro reported that CVE-2023-28461 had been exploited by Earth Kasha in attacks exploiting vulnerable SSL-VPN and file storage services against advanced technology organizations and government agencies in Japan, Taiwan, and India.

Earth Kasha, also known as MirrorFace, is a threat actor operating under the APT10 umbrella, but believed to be a different entity than APT10, the China-linked state sponsored hacking group also tracked as Bronze Riverside, Cicada, Potassium, Red Apollo, and Stone Panda.

According to Trend Micro, Earth Kasha has exploited the Array bug along with Proself and FortiOS/FortiProxy flaws (namely CVE-2023-45727 and CVE-2023-27997) for initial access, and then deployed backdoors such as Cobalt Strike, LodeInfo, and NoopDoor, for persistence.

Advertisement. Scroll to continue reading.

On Monday, CISA added CVE-2023-28461 to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to hunt for vulnerable Array instances in their environments and patch them as soon as possible.

“Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway,” CISA notes.

Per Binding Operational Directive (BOD) 22-01, federal agencies have until December 16 to apply patches for the exploited Array vulnerability. However, all organizations are advised to review CISA’s KEV list and apply the necessary remediations as soon as possible.

Related: Recent Zyxel Firewall Vulnerability Exploited in Ransomware Attacks

Related: NIST Explains Why It Failed to Clear CVE Backlog

Related: UN Experts Urge United Nations to Lay Foundations for Global Governance of Artificial Intelligence

Related: CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.