A critical command injection vulnerability affecting Array Networks AG Series secure access gateways has been actively exploited in the wild since August 2025. The exploitation targets the DesktopDirect feature, a remote desktop access solution, allowing malicious actors to execute arbitrary commands on compromised systems. This widespread exploitation poses a significant risk to organizations relying on these gateways for secure remote access.
The vulnerability, which currently lacks a CVE identifier, was officially patched by Array Networks on May 11, 2025. However, its continued exploitation indicates that many organizations have yet to apply the necessary security updates. Japan’s JPCERT/CC issued an alert this week, confirming incidents where attackers have successfully deployed web shells on susceptible devices after August 2025, originating from the IP address “194.233.100[.]138.”
Array Networks Gateway Command Injection Exploitation
The identified command injection vulnerability is rooted in Array’s DesktopDirect component. This feature is designed to provide users with secure access to their work computers from any location. However, when this feature is enabled on vulnerable systems, attackers can leverage the flaw to inject and execute their own commands, potentially leading to full system compromise.
JPCERT/CC has confirmed incidents in Japan where this security weakness has been exploited. The primary method observed involves attackers dropping web shells onto the affected gateways. A web shell grants attackers persistent access and control over the compromised server, enabling them to perform a wide range of malicious activities, including data exfiltration, further malware deployment, or pivoting to other systems within the network.
Details of the Exploitation
While JPCERT/CC has confirmed the exploitation of the command injection flaw, specific details regarding the scale of the attacks, the precise methods weaponizing the vulnerability, and the identity of the threat actors behind these campaigns remain scarce. The lack of definitive attribution makes it challenging for security researchers and affected organizations to proactively defend against these specific threats.
It is worth noting that a separate authentication bypass flaw within the same DesktopDirect product, identified as CVE-2023-28461 with a severity score of 9.8, was exploited last year. That incident was attributed to a China-linked cyber espionage group known as MirrorFace, which has a history of targeting Japanese organizations since at least 2019. However, there is currently no direct evidence linking MirrorFace or any other specific threat actor to the ongoing exploitation of this new command injection vulnerability.
Impact and Mitigation Strategies for ArrayOS Users
The command injection vulnerability affects ArrayOS versions 9.4.5.8 and earlier. Array Networks has addressed this critical issue by releasing version ArrayOS 9.4.5.9. Users are strongly advised to prioritize applying the latest security updates from Array Networks as soon as possible to mitigate the risk of exploitation.
For organizations that are unable to apply the patches immediately, JPCERT/CC recommends two alternative mitigation strategies. Firstly, disabling the DesktopDirect services entirely will remove the attack vector. Secondly, implementing URL filtering to deny access to URLs containing a semicolon character can also help prevent the exploitation of certain injection-based attacks, although this is a less comprehensive solution than patching.
The ongoing exploitation of this command injection vulnerability underscores the persistent threat faced by organizations from unpatched systems, particularly those providing remote access capabilities. Security professionals will be closely monitoring for any further revelations regarding the actors involved and the scope of these attacks, as well as any potential additional mitigation guidance from Array Networks.