CVE-2023-28461

CRITICAL KEV RANSOMWARE

Array Networks AG and vxAG - Unauthenticated Remote Code Execution

Title source: manual

Exploitation Summary

CVE-2023-28461 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 25, 2024, with confirmed use in ransomware campaigns.

Description

Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."

References (2)

Core 2

Core References

Mitigation, Vendor Advisory

https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28461

Scores

CVSS v3 9.8

EPSS 0.8929

EPSS Percentile 99.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-11-25

VulnCheck KEV 2024-09-13

InTheWild.io 2024-11-25

ENISA EUVD EUVD-2023-32140

Ransomware Use Confirmed

CWE

CWE-287 CWE-306

Status published

Products (1)

arraynetworks/arrayos_ag < 9.4.0.481

Published Mar 15, 2023

KEV Added Nov 25, 2024

Tracked Since Feb 18, 2026