Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability

Critical Threat Advisory: This vulnerability is documented in active Ransomware campaigns. Immediate remediation required.

Technical Severity

CVSS v3.1 Metrics

CRITICAL

9.8 / 10

Minimal Risk Critical

Vector Specification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Likelihood

EPSS Prediction

87.18 %

Predictive Probability

Percentile Rank

99.4 th

Documented as more likely to be exploited than 99.4% of known CVEs.

Detection Date

Nov 25, 2024

Remediation Due

Dec 16, 2024

CISA Catalog Active

Threat Analysis

Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway.

Remediation Directive

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Asset Context

Vendor Identity

Array Networks

Affected Product

AG/vxAG ArrayOS

Ransomware Status

Campaign Use Known

Weakness Classification

CWE-306

External Intelligence

https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf

NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2023-28461