A critical command injection vulnerability in Array Networks’ ArrayOS AG systems has become the focus of active exploitation campaigns, with Japanese organizations experiencing confirmed attacks since August 2025.
According to alerts from JPCERT/CC, threat actors are leveraged the vulnerability to install webshells and establish persistent network access, marking a significant escalation in targeting enterprise VPN infrastructure.
The vulnerability resides in the DesktopDirect function of Array Networks’ Array AG series, a feature designed to provide remote desktop access.
The command injection vulnerability permits attackers to execute arbitrary commands on vulnerable systems without requiring valid credentials.
While Array Networks issued a patched version in May 2025 before public disclosure of the vulnerability attackers have successfully exploited unpatched instances across multiple Japanese organizations over the past four months.
Affected Systems and Scope
The vulnerability impacts ArrayOS AG version 9.4.5.8 and earlier, specifically systems with the DesktopDirect feature enabled.
This represents a potentially broad attack surface, as many enterprises deploy Array Networks’ VPN solutions as critical remote access infrastructure.
The fact that attack campaigns have persisted for months while remaining relatively undocumented highlights the risk posed by organizations delaying security updates for network-critical systems.
JPCERT/CC’s investigation confirms that attackers exploiting this vulnerability have successfully deployed webshells within affected systems, created unauthorized user accounts, and leveraged compromised devices to conduct internal network reconnaissance.
In documented cases, attackers executed commands targeting the path “/ca/aproxy/webapp/” a critical application directory to install PHP webshell files for sustained access.
Investigators have also identified a single source IP address, 194.233.100.138, associated with attack traffic, suggesting a centralized command and control infrastructure.
The progression from initial exploitation to webshell deployment represents a sophisticated attack chain, enabling threat actors to maintain persistent access regardless of credential changes or network modifications.
The creation of new user accounts further suggests attackers are establishing fallback access mechanisms to ensure continued presence even if the primary vulnerability is patched.
Mitigations
Array Networks recommends immediate upgrading to ArrayOS AG 9.4.5.9, which incorporates the necessary security fixes.
However, organizations should conduct thorough testing before deployment, as applying the patch requires system reboots that may result in log loss a critical consideration for forensic investigations and incident response efforts.
For organizations unable to immediately deploy the patch, Array Networks provides interim workarounds: disabling DesktopDirect services if not operationally necessary, and implementing URL filters to block access containing semicolon characters, which command injection attacks frequently exploit.
Organizations currently running vulnerable ArrayOS AG versions should prioritize immediate investigation for signs of compromise.
Recommended actions include checking for unexpected user accounts, analyzing webshell artifacts in the “/ca/aproxy/webapp/” directory, and reviewing network traffic logs for connections from the identified malicious IP address.
Given the potential for log loss during patching, preservation of forensic evidence should precede any remediation activities.
This vulnerability underscores the persistent threat landscape targeting enterprise VPN infrastructure, where security delays can result in direct access to internal networks for opportunistic threat actors.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.