JPCERT/CC this week confirmed active exploitation of a command injection vulnerability in Array Networks AG Series secure access gateways that has been observed since August 2025, the agency said.
The flaw, which has not been assigned a CVE identifier, was fixed by Array Networks on May 11, 2025 and is rooted in the vendor’s DesktopDirect remote desktop access feature; JPCERT/CC warned that successful exploitation could allow attackers to execute arbitrary commands.
JPCERT/CC said it has confirmed incidents in Japan after August 2025 in which intruders dropped web shells on vulnerable devices; the agency reported the attacks originated from the IP address 194.233.100[.]138.
There are no details available on the scale of the attacks, how the flaw was weaponized or the identity of the threat actors. A previous authentication bypass in the same product (CVE-2023-28461) was exploited last year by a group known as MirrorFace, but the agency said there is currently no evidence linking that group to the newly reported incidents.
The vulnerability affects ArrayOS versions 9.4.5.8 and earlier and was addressed in ArrayOS 9.4.5.9; users were urged to apply the update as soon as possible. Where patching is not immediate, JPCERT/CC recommended disabling DesktopDirect and using URL filtering to block URLs containing a semicolon.