Attackers are actively exploiting a critical vulnerability in Array Networks’ ArrayOS AG series VPN appliances, leading to unauthorized access to enterprise networks. This flaw, residing in the DesktopDirect function, allows threat actors to inject commands and deploy webshells, posing a significant risk to organizations worldwide. Confirmed attacks leveraging this weakness have been ongoing since August 2025, with a notable concentration of targets in Japan.
The vulnerability enables attackers to execute arbitrary commands on affected systems with a high degree of freedom. While Array Networks released a patch in May 2025, the continued use of older, vulnerable versions of the ArrayOS AG software means many organizations remain exposed. Security analysts at JPCERT/CC have documented coordinated attack campaigns specifically targeting these devices, highlighting a sophisticated approach to compromising gateway appliances. The lack of a CVE identifier at this time does not diminish the severity or documented reality of these ongoing exploits.
Webshell Deployment and Attack Mechanics in ArrayOS AG Exploits
The primary method of exploiting this ArrayOS AG vulnerability involves sending specially crafted requests to the DesktopDirect interface. Attackers utilize specific characters, such as semicolons, within URLs to outmaneuver the intended command execution boundaries. This allows them to insert and run their own malicious instructions on the vulnerable device.
In documented instances, the commands executed by attackers aimed to install PHP webshells. These webshells are essentially backdoors that grant remote command execution capabilities on the compromised appliance. Threat actors have been observed placing these webshells in specific directory paths, such as “/ca/aproxy/webapp/”, enabling persistent access.
Once initial access is gained through the command injection flaw, attackers focus on establishing persistence and moving deeper into the network. JPCERT/CC analysts have reported that successful exploitation has led to the creation of unauthorized user accounts and the deployment of backdoors. This methodical approach allows attackers to maintain a hidden presence within victim networks, facilitating further lateral movement, data exfiltration, and ultimately, more significant breaches.
The observed attack traffic has been traced to a specific source IP address, 194.233.100[.]138. However, security researchers caution that this may represent only a single point within a larger, distributed attack infrastructure. The sophistication of these attacks underscores the importance of prompt patching and robust security monitoring for organizations relying on these VPN solutions.
Mitigation and Future Outlook for ArrayOS AG Vulnerabilities
To address this critical security threat, it is imperative for organizations to upgrade their ArrayOS AG installations to version 9.4.5.9 or the latest available patched version. For those unable to immediately apply the patch, a workaround involves disabling the DesktopDirect service if remote administrator access via this feature is not strictly necessary. This action can significantly reduce the attack surface.
When applying patches or implementing workarounds, organizations are strongly advised to preserve system logs before rebooting affected appliances. Array Networks’ internal guidance suggests that reboots following updates can sometimes lead to log data loss, which could be crucial for forensic investigations in the event of a confirmed breach. Preserving these logs is vital for understanding the scope and methods of an attack.
The ongoing exploitation of this ArrayOS AG vulnerability highlights a persistent challenge in cybersecurity: the lag between patch release and widespread deployment. As attackers continue to actively scan for and exploit unpatched systems, organizations must remain vigilant. The next steps for those affected will likely involve thorough security audits, incident response planning, and a review of their patch management strategies to prevent similar incidents in the future. The continued monitoring by security researchers for new attack vectors or variations of this exploit, along with the potential assignment of a CVE identifier, will be critical in informing ongoing defense efforts.