Cyber Resilience

CVE-2023-28461

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 15 March 2023

Published
15 March 2023
Modified
03 November 2025
KEV Added
25 November 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8929 99.6th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28461 is a critical-severity Improper Authentication (CWE-287) vulnerability in Arraynetworks Arrayos Ag. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2023-28461 is an unauthenticated remote code execution vulnerability affecting Array Networks Array AG Series and vxAG appliances running version 9.4.0.481 and earlier. The flaw stems from missing authentication checks that allow an attacker to traverse the filesystem on the SSL VPN gateway by supplying a flags attribute in an HTTP header, after which a vulnerable URL can be leveraged to execute arbitrary code on the device.

An unauthenticated remote attacker can exploit the issue over the network to achieve full compromise of the affected gateway, including reading or writing arbitrary files and executing commands with high impact to confidentiality, integrity, and availability. The CVSS 3.1 base score of 9.8 reflects the absence of required credentials or user interaction and the complete scope of access once the initial filesystem access is obtained.

Vendor guidance issued on 9 March 2023 states that a patched Array AG release would be made available soon; the referenced security advisory from Array Networks provides additional details on the affected builds and remediation steps. The vulnerability is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

The associated EPSS score has reached 0.8929, indicating substantial exploitation interest following public disclosure.

EU & UK References

Vulnerability details

Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be…

more

exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."

CWE(s)
KEV Date Added
25 November 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

arraynetworks
arrayos ag
≤ 9.4.0.481

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on all HTTP requests to the SSL VPN gateway, blocking the unauthenticated flags-attribute filesystem access that leads to RCE.

prevent

Requires identification and authentication of every user session before any system functionality (including the vulnerable URL handlers) can be reached, eliminating the missing-authentication flaw.

AC-17 Remote Access partial match
prevent

Mandates explicit authorization, encryption, and access restrictions for all remote connections to the VPN appliance, limiting exposure of the unauthenticated code-execution path.

References