Attackers are actively exploiting a serious vulnerability in Array Networks’ ArrayOS AG series to gain unauthorized access to enterprise networks.
The flaw exists in the DesktopDirect function, a feature designed to provide remote desktop access to administrators.
Security researchers have discovered that this command injection vulnerability allows attackers to execute arbitrary commands on affected systems with minimal restrictions.
While no CVE identifier has been assigned yet, the threat is very real and documented, with confirmed attacks occurring since August 2025, primarily targeting organizations in Japan.
Array Networks released a patched version in May 2025, but the widespread deployment of older versions has left numerous systems vulnerable.
JPCERT/CC security analysts have identified coordinated attack campaigns leveraging this weakness, marking a significant shift in how attackers target enterprise gateway appliances.
The vulnerability affects all ArrayOS AG installations running version 9.4.5.8 and earlier, particularly those with the DesktopDirect feature enabled.
Organizations using these systems face serious risks, as attackers are actively scanning networks for vulnerable instances and moving quickly to establish persistent access.
JPCERT security analysts identified that attackers exploited this vulnerability to install PHP webshells, create unauthorized user accounts, and establish footholds for internal network intrusion.
The attack pattern demonstrates a methodical approach, with threat actors gaining initial access through the command injection flaw and then leveraging that foothold to deploy backdoors for long-term persistence.
Webshell Deployment and Attack Mechanics
The primary infection vector involves sending specially crafted requests containing command sequences to the DesktopDirect interface.
Attackers abuse semicolon characters in URLs to break out of intended command boundaries and execute their own instructions.
In confirmed attacks, the command executed attempted to place a PHP webshell file in the path “/ca/aproxy/webapp/”, enabling remote command execution on the compromised appliance.
The webshell serves as a persistent backdoor, allowing attackers to maintain access, exfiltrate data, and pivot deeper into target networks.
Attack traffic has been traced to the source IP address 194.233.100[.]138, though this may represent only one node in a broader attack infrastructure.
Immediate mitigation requires upgrading to ArrayOS AG version 9.4.5.9 or implementing workarounds by disabling DesktopDirect services if remote access is unnecessary.
Organizations should preserve logs before patching, as rebooting after updates can result in log loss, potentially destroying critical forensic evidence needed for breach investigations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
