CVE-2023-28461
Published: 15 March 2023
Summary
CVE-2023-28461 is a critical-severity Improper Authentication (CWE-287) vulnerability in Arraynetworks Arrayos Ag. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
CVE-2023-28461 is an unauthenticated remote code execution vulnerability affecting Array Networks Array AG Series and vxAG appliances running version 9.4.0.481 and earlier. The flaw stems from missing authentication checks that allow an attacker to traverse the filesystem on the SSL VPN gateway by supplying a flags attribute in an HTTP header, after which a vulnerable URL can be leveraged to execute arbitrary code on the device.
An unauthenticated remote attacker can exploit the issue over the network to achieve full compromise of the affected gateway, including reading or writing arbitrary files and executing commands with high impact to confidentiality, integrity, and availability. The CVSS 3.1 base score of 9.8 reflects the absence of required credentials or user interaction and the complete scope of access once the initial filesystem access is obtained.
Vendor guidance issued on 9 March 2023 states that a patched Array AG release would be made available soon; the referenced security advisory from Array Networks provides additional details on the affected builds and remediation steps. The vulnerability is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
The associated EPSS score has reached 0.8929, indicating substantial exploitation interest following public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-32140
Vulnerability details
Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be…
more
exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."
- CWE(s)
- KEV Date Added
- 25 November 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks on all HTTP requests to the SSL VPN gateway, blocking the unauthenticated flags-attribute filesystem access that leads to RCE.
Requires identification and authentication of every user session before any system functionality (including the vulnerable URL handlers) can be reached, eliminating the missing-authentication flaw.
Mandates explicit authorization, encryption, and access restrictions for all remote connections to the VPN appliance, limiting exposure of the unauthenticated code-execution path.