A command injection vulnerability in Array Networks AG Collection safe entry gateways has been exploited within the wild since August 2025, in response to an alert issued by JPCERT/CC this week.
The vulnerability, which doesn’t have a CVE identifier, was addressed by the corporate on Could 11, 2025. It is rooted in Array’s DesktopDirect, a distant desktop entry resolution that enables customers to securely entry their work computer systems from any location.
“Exploitation of this vulnerability may enable attackers to execute arbitrary instructions,” JPCERT/CC mentioned. “This vulnerability impacts techniques the place the ‘DesktopDirect’ characteristic, which offers distant desktop entry, is enabled.”
The company mentioned it has confirmed incidents in Japan which have exploited the shortcoming after August 2025 to drop internet shells on prone units. The assaults have originated from the IP deal with “194.233.100[.]138.”
There are presently no particulars out there on the size of the assaults, weaponizing the flaw, and identification of the menace actors exploiting it.
Nevertheless, an authentication bypass flaw in the identical product (CVE-2023-28461, 9.8) was exploited final yr by a China-linked cyber espionage group dubbed MirrorFace, which has a historical past of focusing on Japanese organizations since a minimum of 2019. That mentioned, there isn’t a proof to recommend that at this stage the menace actor may very well be linked to the newest assault spree.
The vulnerability impacts ArrayOS variations 9.4.5.8 and earlier, and has been addressed in model ArrayOS 9.4.5.9. Customers are suggested to use the newest updates as quickly as potential to mitigate potential threats. In case patching isn’t an instantaneous choice, it is really useful to disable DesktopDirect providers and use URL filtering to disclaim entry to URLs containing a semicolon, JPCERT/CC mentioned.
