Fast Facts

• Hackers exploited a command injection flaw in ArrayOS AG VPNs, targeting Japanese companies since August 2025.
• The bug allowed attackers to run any command without needing a password.
• Webshells were installed, giving intruders persistent, secret access to internal networks.
• Array Networks released a fix in May 2025, but many systems remained unpatched and vulnerable for months.
• Attackers used a single command center IP, hinting at an organized, ongoing campaign.

Digital Drawbridges Lowered: A Breach in the Wall

Imagine a castle whose drawbridge, meant to keep invaders out, is instead rigged to let them slip inside undetected. That’s the reality facing dozens of Japanese organizations whose virtual private networks (VPNs) - the digital drawbridges of enterprise - have been quietly compromised by a cunning vulnerability in Array Networks’ ArrayOS AG systems.

Since August 2025, cybercriminals have been exploiting a flaw in the “DesktopDirect” feature, which was designed to let employees safely access their work desktops remotely. Instead, it opened a secret passage: a “command injection” bug that let attackers issue any order they pleased, no login required. In effect, the attackers could whisper instructions straight to the heart of the network, sidestepping locks and passwords entirely.

Webshells: The Hackers’ Hidden Hand

Once inside, hackers planted webshells - stealthy software tools that act like digital listening posts and remote controls. With a webshell in place, an intruder can quietly explore, steal data, or even create new user accounts for backup access. JPCERT/CC, Japan’s top cyber emergency team, found that attackers targeted the “/ca/aproxy/webapp/” folder, leaving behind malicious PHP files as their persistent foothold.

For months, these attacks went largely unnoticed. Logs show a single IP address coordinating much of the activity, suggesting a disciplined, possibly state-backed campaign. The attackers’ methods echo notorious breaches of VPN appliances in recent years - such as the Pulse Secure and Fortinet incidents - where slow patching and network blind spots allowed adversaries to linger and expand their reach.

A Perfect Storm: Delays, Patching, and the Human Factor

Array Networks had already released a patch in May 2025, but the fix required a system reboot - a step that can delete vital forensic evidence and is often delayed by cautious IT teams. This window of hesitation was all hackers needed. The lesson is stark: in the world of enterprise security, even a brief delay in patching can be the difference between safety and a full-scale breach.

The attack exposes a broader market and geopolitical risk. With remote work now a staple, VPNs are critical infrastructure, and their compromise can ripple through supply chains, government agencies, and global partners. The campaign’s focus on Japanese companies hints at targeted economic or strategic motives - a pattern seen in recent years as cyberattacks become sharper tools of statecraft and industrial espionage.

WIKICROOK

• Command Injection: Command Injection is a vulnerability where attackers trick systems into running unauthorized commands by inserting malicious input into user fields or interfaces.
• Webshell: A webshell is a hidden program uploaded by hackers to a compromised website, giving them remote control and unauthorized access like a secret backdoor.
• VPN (Virtual Private Network): A VPN encrypts your internet connection and hides your IP address, providing extra privacy and security when browsing online or using public Wi-Fi.
• Patch: A patch is a software update released to fix security vulnerabilities or bugs in programs, helping protect devices from cyber threats and improve stability.
• Forensic Evidence: Forensic evidence is material analyzed with scientific methods, like DNA or fingerprints, to identify suspects and support criminal investigations.