CVE-2023-28461 | THREATINT

Description

Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."

PUBLISHED Reserved 2023-03-15 | Published 2023-03-15 | Updated 2025-07-30 | Assigner mitre

CISA Known Exploited Vulnerability

Date added 2024-11-25 | Due date 2024-12-16

Known Ransomware Campaign(s)

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

References

support.arraynetworks.net/..._Execution_Vulnerability_AG.pdf

cve.org (CVE-2023-28461)

nvd.nist.gov (CVE-2023-28461)

Download JSON