CVE-2023-28461

CVE-2023-28461 is a critical-severity vulnerability in Arraynetworks Arrayos Ag with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-11-25). The underlying weakness is classified as CWE-287.

Key facts

Description

Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."

CVE-2023-28461: Unauthenticated Remote Code Execution in Array Networks AG SSL VPN Gateways

AI-generated analysis based on the vulnerability data on this page.

Summary

CVE-2023-28461 is a critical unauthenticated remote code execution vulnerability affecting Array Networks AG Series and vxAG SSL VPN gateways running ArrayOS AG 9.4.0.481 and earlier. An attacker can exploit a flags attribute in an HTTP header to browse the filesystem without authentication, then leverage a vulnerable URL to execute arbitrary code on the gateway. The vulnerability is actively exploited in the wild and carries a CVSS v3.1 score of 9.8.

Background

Array Networks AG Series appliances and the vxAG virtual SSL VPN gateway provide remote access and secure connectivity for enterprise networks. These devices sit at the network perimeter and are exposed to the internet in typical deployments, making them high-value targets for threat actors seeking initial access to corporate environments. ArrayOS AG is the underlying operating system that powers these appliances.

Root Cause

The vulnerability stems from CWE-287: Improper Authentication. The SSL VPN gateway fails to properly validate or authenticate requests containing a specially crafted flags attribute in an HTTP header. This authentication bypass allows unauthenticated remote attackers to access filesystem browsing functionality that should be restricted to authenticated administrative sessions. The insecure handling of this header attribute effectively grants anonymous users partial administrative capabilities, collapsing the trust boundary between external attackers and internal system interfaces.

Impact

With a CVSS v3.1 score of 9.8 (Critical), this vulnerability presents an extreme risk to affected organizations. The scoring vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects that exploitation requires:

  • Attack Vector (AV): Network — exploitable remotely over the internet
  • Attack Complexity (AC): Low — no special conditions or advanced techniques needed
  • Privileges Required (PR): None — no credentials or prior access necessary
  • User Interaction (UI): None — fully automated exploitation possible
  • Scope (S): Unchanged — impact limited to the vulnerable component
  • Confidentiality (C): High — complete disclosure of system data
  • Integrity (I): High — full modification of system data possible
  • Availability (A): High — complete system shutdown or resource exhaustion possible

The combined impact score of 5.9 and exploitability score of 3.9 indicate that successful exploitation grants an attacker near-total control over the VPN gateway, including the ability to pivot into internal networks, exfiltrate credentials, intercept traffic, or render the device inoperable.

Exploitation Walkthrough

Ethics Notice: The following description is provided for defensive and awareness purposes only. No working exploit code is included. Security practitioners should use this information to understand attack surface and improve detection capabilities.

The attack proceeds in two conceptual stages:

  1. Authentication Bypass via Header Manipulation — The attacker sends an HTTP request to the SSL VPN gateway with a modified flags attribute in a request header. The gateway fails to authenticate the request and treats it as legitimate, granting access to filesystem browsing functionality.

  2. Code Execution via Vulnerable URL — With filesystem access established, the attacker identifies and interacts with a vulnerable URL endpoint on the gateway to achieve arbitrary code execution. The specific URL and parameters are not publicly disclosed in available advisories, but the vendor confirmed this escalation path exists.

Because both stages can be executed without authentication, the attack is fully automatable and wormable across exposed internet-facing appliances.

Affected and Patched Versions

Affected Products:

  • Array Networks AG Series physical appliances (AG1000, AG1000T, AG1000V5, AG1100V5, AG1150, AG1200, AG1200V5, AG1500, AG1500FIPS, AG1500V5, AG1600, AG1600V5)
  • Array Networks vxAG virtual SSL VPN gateway
  • ArrayOS AG version 9.4.0.481 and earlier

Patched Versions:

No specific patched version number was disclosed in the available advisory data. The vendor stated in a March 9, 2023 advisory that "a new Array AG release with the fix will be available soon." Organizations should consult Array Networks support directly for current patch availability and version guidance.

Remediation

  1. Apply Vendor Patch — Contact Array Networks support to obtain the latest fixed release of ArrayOS AG. Prioritize patching any internet-facing AG Series or vxAG appliances.

  2. Network Segmentation — Restrict VPN gateway management interfaces to trusted administrative networks. Place SSL VPN appliances behind a Web Application Firewall (WAF) or network intrusion prevention system with rules tuned for header anomalies.

  3. Compensating Controls — If immediate patching is not feasible:

    • Disable or restrict external access to the management plane
    • Implement strict ingress filtering to limit source IPs that can reach the appliance
    • Monitor for anomalous HTTP headers, particularly unexpected flags attributes
    • Enable detailed logging on reverse proxies or load balancers fronting the gateway
  4. Credential Rotation — After compromise remediation, rotate all credentials stored on or passing through the affected VPN gateway, as an attacker with RCE could have extracted secrets.

Detection

Defenders should monitor for the following indicators and behaviors:

  • Unauthenticated HTTP requests to administrative or filesystem-related endpoints on AG/vxAG appliances
  • HTTP requests containing unusual or non-standard flags attributes in headers, especially from external source IPs
  • Unexpected file or directory enumeration patterns in gateway access logs
  • Subsequent lateral movement or internal scanning originating from the VPN gateway's management IP
  • Anomalous processes or network connections initiated by the ArrayOS AG system account

Security teams may also leverage threat intelligence feeds and network detection rules that target known exploitation patterns for this vulnerability class.

Assessment

CVE-2023-28461 carries an EPSS score of 0.67645, placing it in the 99.2nd percentile — meaning it is among the most likely vulnerabilities to be exploited in the wild. This prediction is confirmed by its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog and the EU Exploited Vulnerabilities Database, both of which added this CVE on November 25, 2024. The gap between March 2023 disclosure and late-2024 KEV listing suggests either sustained private exploitation or delayed public confirmation of in-the-wild abuse.

Key lessons:

  1. Perimeter appliances are prime targets — SSL VPN gateways sit at the boundary between untrusted and trusted networks. Authentication bypass flaws in these devices are catastrophic because they eliminate the very control they exist to enforce.

  2. EPSS and KEV alignment matters — When a vulnerability scores above 0.5 EPSS and appears on the KEV list simultaneously, organizations should treat it as an active emergency regardless of their own observed exploitation. The statistical and intelligence signals are strongly convergent.

References

Frequently asked questions

What is CVE-2023-28461?
Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."
How severe is CVE-2023-28461?
CVE-2023-28461 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-28461 being actively exploited?
Yes. CVE-2023-28461 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-11-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-28461?
CVE-2023-28461 affects Arraynetworks Arrayos Ag. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2023-28461?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-28461 have an EU (EUVD) identifier?
Yes. CVE-2023-28461 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-32140. It is also flagged as exploited in the EUVD (since 2024-11-25).
When was CVE-2023-28461 published?
CVE-2023-28461 was published on 2023-03-15 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Arraynetworks Arrayos Ag

All CVEs affecting Arraynetworks Arrayos Ag →

Other CWE-287 (Improper Authentication) vulnerabilities

Browse all CWE-287 (Improper Authentication) vulnerabilities →