CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Chinese Hackers Exploiting Critical Vulnerability in Array Networks Gateways

CISA warns about attacks exploiting CVE-2023-28461, a critical vulnerability in Array Networks AG and vxAG secure access gateways.

The US cybersecurity agency CISA on Monday warned of the in-the-wild exploitation of a critical-severity vulnerability in Array Networks’ Array AG and vxAG secure access gateway products.

The issue, tracked as CVE-2023-28461 (CVSS score of 9.8), is described as a remote code execution (RCE) flaw that “allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway using flags attribute in HTTP header without authentication.”

An attacker could exploit the vulnerability against Array AG/vxAG products running a vulnerable iteration of ArrayOS AG 9.x. In March 2023, the US-based networking hardware maker Array Networks announced (PDF) that patches for the bug were included in ArrayOS AG version 9.4.0.484, available for download through its support portal.

Last week, Trend Micro reported that CVE-2023-28461 had been exploited by Earth Kasha in attacks exploiting vulnerable SSL-VPN and file storage services against advanced technology organizations and government agencies in Japan, Taiwan, and India.

Earth Kasha, also known as MirrorFace, is a threat actor operating under the APT10 umbrella, but believed to be a different entity than APT10, the China-linked state sponsored hacking group also tracked as Bronze Riverside, Cicada, Potassium, Red Apollo, and Stone Panda.

According to Trend Micro, Earth Kasha has exploited the Array bug along with Proself and FortiOS/FortiProxy flaws (namely CVE-2023-45727 and CVE-2023-27997) for initial access, and then deployed backdoors such as Cobalt Strike, LodeInfo, and NoopDoor, for persistence.

On Monday, CISA added CVE-2023-28461 to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to hunt for vulnerable Array instances in their environments and patch them as soon as possible.

“Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway,” CISA notes.

Advertisement. Scroll to continue reading.

Per Binding Operational Directive (BOD) 22-01, federal agencies have until December 16 to apply patches for the exploited Array vulnerability. However, all organizations are advised to review CISA’s KEV list and apply the necessary remediations as soon as possible.

Related: Recent Zyxel Firewall Vulnerability Exploited in Ransomware Attacks

Related: NIST Explains Why It Failed to Clear CVE Backlog

Related: UN Experts Urge United Nations to Lay Foundations for Global Governance of Artificial Intelligence

Related: CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.