CISA Urges Agencies to Patch Critical “Array Networks” Flaw Amid Active Attacks

Cyber Security

Nov 26, 2024Ravie LakshmananVulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a now-patched critical security flaw impacting Array Networks AG and vxAG secure access gateways to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.

The vulnerability, tracked as CVE-2023-28461 (CVSS score: 9.8), concerns a case of missing authentication that could be exploited to achieve arbitrary code execution remotely. Fixes (version 9.4.0.484) for the security shortcoming were released by the network hardware vendor in March 2023.

“Array AG/vxAG remote code execution vulnerability is a web security vulnerability that allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway using flags attribute in HTTP header without authentication,” Array Networks said. “The product can be exploited through a vulnerable URL.”

The inclusion to KEV catalog comes shortly after cybersecurity company Trend Micro revealed that a China-linked cyber espionage group dubbed Earth Kasha (aka MirrorFace) has been exploiting security flaws in public-facing enterprise products, such as Array AG (CVE-2023-28461), Proself (CVE-2023-45727), and Fortinet FortiOS/FortiProxy (CVE-2023-27997), for initial access.

Earth Kasha is known for its extensive targeting of Japanese entities, although, in recent years, it has also been observed attacking Taiwan, India, and Europe.

Earlier this month, ESET also disclosed an Earth Kasha campaign that targeted an unnamed diplomatic entity in the European Union to deliver a backdoor known as ANEL by using it as a lure as the upcoming World Expo 2025 that’s scheduled to take place in Osaka, Japan, starting April 2025.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are recommended to apply the patches by December 16, 2024, to secure their networks.

The disclosure comes as 15 different Chinese hacking groups out of a total of 60 named threat actors have been linked to the abuse of at least one of the top 15 routinely exploited vulnerabilities in 2023, according to VulnCheck.

The cybersecurity company said it has identified over 440,000 internet-exposed hosts that are potentially susceptible to attacks.

“Organizations should evaluate their exposure to these technologies, enhance visibility into potential risks, leverage robust threat intelligence, maintain strong patch management practices, and implement mitigating controls, such as minimizing internet-facing exposure of these devices wherever possible,” VulnCheck’s Patrick Garrity said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.