Monday 06 July 2026 14:50:27 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cyber Intelligence & Threat Trends

Silent Gateways: How a VPN Flaw Opened Corporate Doors to Hackers

Cybercriminals exploit a hidden vulnerability in ArrayOS AG VPN devices, planting secret webshells and seizing remote access to enterprise networks worldwide.

Fast Facts

  • Hackers are abusing a command injection flaw in Array Networks AG Series VPNs to install webshells and create unauthorized users.
  • The flaw affects versions up to ArrayOS AG 9.4.5.8; a fix is available in version 9.4.5.9, but tracking is hampered by a lack of a formal CVE identifier.
  • Japanese CERT has observed attacks since at least August 2023, mainly targeting organizations in Japan, with activity traced to a specific IP address.
  • Array Networks AG Series devices are used for secure remote access by large organizations, especially in Asia and the United States.
  • Security experts warn that global awareness is low, raising fears of further exploitation and under-the-radar breaches.

A Vulnerability Hiding in Plain Sight

Imagine a fortress with a hidden side door-one that even the guards don’t know exists. For months, hackers have been slipping through just such a digital entryway in Array Networks’ AG Series VPN devices. Exploiting a subtle flaw known as a “command injection,” cybercriminals have been quietly planting webshells-stealthy backdoors-on targeted systems. These webshells allow attackers to issue commands and create rogue user accounts, essentially giving them the keys to the castle.

The vulnerability, present in all ArrayOS AG versions up to 9.4.5.8, was patched in May 2023. However, because the flaw was never assigned a formal identifier (such as a CVE), organizations are struggling to track which systems remain exposed. The lack of clear communication and a public advisory has left many IT teams in the dark-a classic case of security by obscurity gone wrong.

From Japan to the World: A Targeted Breach

Japan’s Computer Emergency Response Team (JPCERT) was the first to sound the alarm. Their researchers traced attacks back to August, pinpointing a single IP address as the launchpad. Their bulletin revealed that attackers were dropping PHP-based webshells into a specific directory, allowing remote control over compromised devices. While the majority of observed attacks have focused on Japanese organizations, security scans show over 1,800 vulnerable devices worldwide, with clusters in China, the U.S., and other parts of Asia.

Macnica security researcher Yutaka Sejiyama highlighted that most of these devices serve large enterprises-companies that rely on secure VPNs to enable remote work and cloud access. The risk is heightened for those using the ‘DesktopDirect’ remote access feature, which appears to be a particular target.

Déjà Vu: A Pattern of VPN Exploits

This isn’t the first time VPN gateways have landed in the crosshairs. In 2023, CISA warned about another Array Networks flaw (CVE-2023-28461) that enabled remote code execution. The pattern is clear: as organizations double down on remote work, attackers are probing the very tools meant to keep them safe. VPN devices, often overlooked in patch cycles, become attractive targets for persistent threat actors looking for a discreet foothold.

What’s unique this time is the muted international response. With most incidents concentrated in Asia, global security vendors have been slow to react, potentially leaving Western enterprises exposed and unaware. The episode underscores a critical lesson: in cyber defense, what happens “over there” can swiftly become a local crisis.

The silent exploitation of ArrayOS AG VPN devices is a stark reminder that even specialized security hardware can harbor hidden dangers. In a world where remote access is the new normal, the smallest overlooked flaw can open doors for adversaries-and close them on unsuspecting defenders. Vigilance, transparency, and swift communication remain the best shields against invisible invaders lurking at the digital gate.

WIKICROOK

  • Command Injection: Command Injection is a vulnerability where attackers trick systems into running unauthorized commands by inserting malicious input into user fields or interfaces.
  • Webshell: A webshell is a hidden program uploaded by hackers to a compromised website, giving them remote control and unauthorized access like a secret backdoor.
  • VPN (Virtual Private Network): A VPN encrypts your internet connection and hides your IP address, providing extra privacy and security when browsing online or using public Wi-Fi.
  • CVE (Common Vulnerabilities and Exposures): A CVE is a unique public identifier for a specific security vulnerability, enabling consistent tracking and discussion across the cybersecurity industry.
  • Remote Code Execution: Remote code execution lets attackers run commands on your computer from a distance, often leading to full system compromise and data theft.