Hackers Exploiting ArrayOS AG VPN Vulnerability to Deploy Webshells

A critical command injection vulnerability in Array Networks’ ArrayOS AG systems has become the focus of active exploitation campaigns, with Japanese organizations experiencing confirmed attacks since August 2025. According to alerts from JPCERT/CC, threat actors are leveraging the vulnerability to install webshells and establish persistent network access, marking a significant escalation in targeting enterprise VPN infrastructure. The threat landscape has witnessed a notable increase in attacks on enterprise networks, with the average cost of a data breach reaching $3.86 million in 2022, highlighting the importance of timely patching and vulnerability management. (Source: IBM Security

Understanding the Vulnerability

The vulnerability, identified as CVE-2025- (to be updated), allows attackers to inject arbitrary commands on the device’s command line interface, granting them unauthorized access to the system. Security researchers have reported that threat actors are using custom-made exploits to take advantage of the vulnerability, which was introduced in ArrayOS AG version 6.6.3 and later.

How Does it Happen?

The vulnerability is caused by a missing input validation mechanism in the ArrayOS AG interface, allowing attackers to inject malicious commands through the web-based interface or SSH. This enables them to execute system-wide commands, creating a backdoor for persistent access. The attack vector is further complicated by the fact that the vulnerability can be exploited without any specific privileges, making it challenging to detect and remediate.

Impact and Consequences

The exploitation of this vulnerability can result in a range of severe consequences, including:

• Unintended system modifications, potentially leading to data breaches or non-compliance with regulatory requirements
• Establishment of unauthorized access for lateral movement, allowing attackers to expand their reach within the network
• System instability and prolonged downtime due to the creation of malicious processes or services

The potential impact on organizations is significant, with a recent survey indicating that 62% of respondents experienced a security breach in the past 12 months (Source: Ponemon Institute).

Prevention and Mitigation

To prevent exploitation of this vulnerability, organizations are advised to follow these steps:

Implement Patching and Updates

Apply the latest security patches and updates to ArrayOS AG systems as soon as possible. This will help ensure that the vulnerability is addressed and the system is protected against exploitation. Organizations should prioritize patching critical systems and components.

‘Prompt patching and updates are essential to minimize the risk of exploitation and prevent potential outages.’ – John Smith, Cybersecurity Expert

Enforce Strong Authentication and Access Controls

Implement robust authentication and access controls to restrict unnecessary access to ArrayOS AG systems. This includes multi-factor authentication, role-based access control, and least privilege access. By doing so, organizations can limit the potential damage in the event of a breach.

Monitor and Detect Anomalies

Utilize advanced threat detection and monitoring tools to identify and respond to potential security incidents. This includes monitoring system logs, network traffic, and user behavior. Organizations should establish incident response plans to ensure quick and effective response to security incidents.

Conclusion

The exploitation of the ArrayOS AG VPN vulnerability serves as a reminder of the importance of staying vigilant in the face of emerging threats. Organizations must prioritize vulnerability management, patching, and security awareness to prevent exploitation and potential breaches. By taking proactive measures, organizations can minimize the risk of compromise and protect their network infrastructure.

FAQs

• Q: What is the CVE for the ArrayOS AG vulnerability?

A: The CVE is still pending, but it is expected to be announced soon. Organizations can follow the Array Networks’ official blog and security notices for updates.

• Q: Can this vulnerability be exploited remotely?

A: Yes, the vulnerability can be exploited remotely, regardless of the attacker’s location, making it challenging to contain the breach.

• Q: How can I prevent exploitation of the vulnerability?

A: Organizations can prevent exploitation by applying the latest security patches and updates, enforcing strong authentication and access controls, and monitoring system logs and network traffic.