CVE-2023-28461

Published Mar 15, 2023

Last updated 12 days ago

Exploit knownCVSS critical 9.8

Overview

Description
Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."
Source
cve@mitre.org
NVD status
Modified

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability
Exploit added on
Nov 25, 2024
Exploit action due
Dec 16, 2024
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

nvd@nist.gov
CWE-287
134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-306

Social media

Hype score
Not currently trending

  1. CVE-2024-21287 is getting exploited #inthewild. Find out more at https://t.co/zxkLY8Soqk CVE-2023-28461 is getting exploited #inthewild. Find out more at https://t.co/IogAb7TnOf

    @inthewildio

    3 Dec 2024

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2024-21287 is getting exploited #inthewild. Find out more at https://t.co/zxkLY8Soqk CVE-2024-44309 is getting exploited #inthewild. Find out more at https://t.co/C8QQNSrrFU CVE-2023-28461 is getting exploited #inthewild. Find out more at https://t.co/IogAb7TnOf

    @inthewildio

    3 Dec 2024

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🇺🇸📡👨🏻‍💻أفاد موقع Bleeping Computer في 26 نوفمبر أن "وكالة الدفاع السيبراني الأمريكية تلقت أدلة على أن القراصنة يستغلون بنشاط ثغرة أمنية في تنفيذ التعليمات البرمجية عن بُعد في منتجات شبكة SSL VPN Array Networks AG و vxAG ArrayOS. تم تعقب المشكلة الأمنية باسم CVE-2023-28461

    @FearlessKuwaiti

    3 Dec 2024

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 【独自】ランサムウェア活動で、Array Networks AG/vxAGの脆弱性CVE-2023-28461と、SonicWall SonicOSの脆弱性CVE-2024-40766がそれぞれ悪用された模様。米国サイバーセキュリティ・社会基盤安全保障庁(CISA)の既知の悪用された脆弱性カタログが更新。 https://t.co/8OLgYfFXPf

    @__kokumoto

    2 Dec 2024

    1483 Impressions

    2 Retweets

    10 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  5. #DOYOUKNOWCVE CISA Alert: CVE-2023-28461 CVE-2023-28461 has been identified as a critical vulnerability impacting Array Networks AG and vxAG secure access gateways. This vulnerability allows attackers to browse the filesystem or execute remote code without authentication,… http

    @Loginsoft_Inc

    27 Nov 2024

    103 Impressions

    1 Retweet

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🔓The critical security vulnerability CVE-2023-28461, affecting Array Networks AG and vxAG gateways, has been included in CISA’s Known Exploited Vulnerabilities catalog following reports of active exploitation.

    @918intelligence

    27 Nov 2024

    77 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. A critical vulnerability has been discovered in Array Networks AG Series and vxAG version 9.4.0.481 and earlier. This flaw, rated with a CVSS score of 9.8, allows unauthenticated remote attackers to execute arbitrary code on vulnerable devices. 🚨 CVE-2023-28461- CVSS 9.8… https

    @cytexsmb

    26 Nov 2024

    208 Impressions

    2 Retweets

    5 Likes

    1 Bookmark

    0 Replies

    2 Quotes

  8. Aggiornamenti e vulnerabilità QNAP, Microsoft e Array Networks Sicurezza Informatica, aggiornamenti Microsoft, Array Networks, CVE-2023-28461, cybersecurity, QNAP, SSL VPN bug, vulnerabilità, Windows 11 24H2 https://t.co/28VqxXhp3W https://t.co/gA8nLjRQkH

    @matricedigitale

    26 Nov 2024

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks: https://t.co/kdJgu7tuvr CISA has added a critical vulnerability (CVE-2023-28461, CVSS 9.8) affecting Array Networks AG and vxAG secure access gateways to its KEV catalog due to active exploitation.…

    @securityRSS

    26 Nov 2024

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. A critical #security flaw (CVE-2023-28461) impacting Array Networks AG & vxAG gateways has been added to the CISA's Known Exploited Vulnerabilities catalog after reports of active exploitation. Read more about the flaw / exploitation: https://t.co/vJ0lStDsnK… #infosec

    @CEEKTechnology

    26 Nov 2024

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. Thread: Critical Array Networks Vulnerability Exploited 🚨🌐 1/ The U.S. CISA has added CVE-2023-28461, a critical flaw in Array Networks AG/vxAG secure access gateways, to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. Details 👇 https://t.co/Hrsn

    @cyraxsecurity

    26 Nov 2024

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  12. A🚨 A critical security flaw (CVE-2023-28461) impacting Array Networks AG and vxAG gateways has been added to the CISA's Known Exploited Vulnerabilities catalog after reports of active exploitation. !Read more about the flaw, its exploitation: https://t.co/vZJgThDeS0

    @ExposinKingfish

    26 Nov 2024

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. 🚨 A critical security flaw (CVE-2023-28461) impacting Array Networks AG and vxAG gateways has been added to the CISA's Known Exploited Vulnerabilities catalog after reports of active exploitation. Read more about the flaw, its exploitation: https://t.co/DcxF41RITO #infosec

    @TheHackersNews

    26 Nov 2024

    11586 Impressions

    19 Retweets

    54 Likes

    6 Bookmarks

    2 Replies

    0 Quotes

  14. 🚨🚨CVE-2023-28461 (CVSS: 9.8) : Array Networks Array AG Series and vxAG Allow Remote Code Execution ⚠️Evidence indicates active exploitation of this vulnerability. ZoomEye Dork👉app="Array Networks ArrayOS" 19k+ results are found on https://t.co/2EQoXN52Vx. ZoomEye Link:… http

    @zoomeye_team

    26 Nov 2024

    485 Impressions

    1 Retweet

    2 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  15. CISA adds Array Networks CVE-2023-28461 to its KEV Catalog #CISAKEV #ArrayNetworks #CVE-2024-28461 https://t.co/VGDdBgd86q

    @pravin_karthik

    26 Nov 2024

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. CISA has added a newly identified vulnerability, CVE-2023-28461, to its Known Exploited Vulnerabilities Catalog. This vulnerability affects Array Networks AG and vxAG ArrayOS, involving improper authentication that could be exploited by threat actors. Organizations are advised to

    @DeAnonymize

    25 Nov 2024

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2023-28461 Array Networks AG and vxAG ArrayOS Improper Authentication Vulnerability https://t.co/ybHqzpnT8P

    @ScyScan

    25 Nov 2024

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. CVE-2023-28461: Urgent Vulnerability in vxAG ArrayOS Exposed https://t.co/Jr9Jid7zP8

    @windowsforum

    25 Nov 2024

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. CISA Adds One Known Exploited Vulnerabilities to Catalog: CVE-2023-28461 - Array Networks AG and vxAG ArrayOS Improper Authentication Vulnerability https://t.co/iXOioRit4n https://t.co/MZl5DYYzsK

    @TMJIntel

    25 Nov 2024

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. 🛡️ We added #ArrayNetworks AG & vxAG #ArrayOS improper authentication vulnerability, CVE-2023-28461, to our Known Exploited Vulnerabilities Catalog. Visit https://t.co/TyBvD9evaQ & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec https://t

    @CISACyber

    25 Nov 2024

    529 Impressions

    3 Retweets

    3 Likes

    1 Bookmark

    0 Replies

    1 Quote

Configurations

References