Array Networks patched in a week and forgot to build a security program

Array Networks shipped a fix for CVE-2023-28461 about a week after disclosure. That is the only part of this story the vendor handled well.

The bug itself is the kind that ends careers. CVSS 9.8. Missing authentication on a critical function (CWE-306), with an improper-authentication cross-reference (CWE-287). A single HTTP request to an AG Series SSL VPN or vxAG virtual gateway, with a specific flags attribute set in the header, bypasses authentication on a request handler that should never have answered the phone. The immediate capability is unauthenticated arbitrary file read on the appliance OS. A follow-on endpoint, reached in the same bypassed state, turns that into remote code execution. No credentials, no user interaction, no phishing precursor. One request to a reachable HTTPS port and the attacker is on the gateway.

Affected scope is every ArrayOS AG 9.x build up to and including 9.4.0.481. The fix is 9.4.0.484. The disclosure date was March 9, 2023.

The 20-month gap

CISA added CVE-2023-28461 to the Known Exploited Vulnerabilities catalog on November 25, 2024, with a federal remediation deadline of December 16, 2024. That is roughly 20 months between vendor disclosure and KEV listing. It was not a quiet 20 months.

Japan’s National Police Agency and NISC issued a joint advisory in January 2025 placing an Earth Kasha campaign against network-device vulnerabilities, CVE-2023-28461 among them, in the February-to-October 2023 window. Exploitation began in the same month the patch shipped. Trend Micro’s October 2024 report on Earth Kasha’s LODEINFO campaign describes the same actor pivoting in 2023 from spear-phishing to public-facing appliance exploitation, with Array Networks fitting alongside CVE-2023-45727 in Proself and CVE-2023-27997 in FortiOS. Post-exploitation tooling included Cobalt Strike, LODEINFO, and NOOPDOOR. Targets were government bodies and advanced-technology firms in Japan, Taiwan, and India. Earth Kasha is also tracked as MirrorFace, a China-nexus group.

CISA’s KEV entry also carries the “ransomware campaign use: Known” flag. No public attribution names the ransomware operator, and nothing in the Trend Micro, ESET, or JPCERT reporting connects Earth Kasha to a ransomware payload against Array Networks targets. The likeliest read is that opportunistic ransomware actors weaponized the bug separately, given how trivially exploitable it is, and CISA’s determination came through its Ransomware Vulnerability Warning Pilot. That is a guess. The operator is not publicly named.

For the same reason: the IP 194.233.100.138 and the /webapp/ PHP web-shell paths circulating in JPCERT/CC reporting belong to a different Array Networks DesktopDirect command-injection issue, not to CVE-2023-28461. Coverage that bundles them together is wrong.

The disclosure infrastructure that isn’t there

Here is what Array Networks does not have.

It does not operate a public PSIRT portal. It does not publish a vulnerability disclosure policy. It is not a CVE Numbering Authority; CVE-2023-28461 was assigned by NVD and MITRE, not by the vendor. Its “Information Security Policy” page is an internal ISO 27001 governance statement, not an external-facing program. The advisory PDF for this CVE lives behind a support portal URL that returns HTTP 403 to unauthenticated requests, consistent with contract-gated distribution. There is no public index of past advisories. After the KEV addition in November 2024, when this bug was elevated into the federal patch deadline regime and a known nation-state initial-access vector, no updated public guidance from Array Networks surfaced anywhere. The March 2023 advisory appears to have been the last word.

Now compare the peers. Fortinet runs a full PSIRT at fortiguard.com/psirt with public severity ratings, coordinated disclosure timelines, and CNA status. Citrix publishes Security Bulletins on an open, browsable portal. F5 runs a PSIRT process with public advisories and a bug bounty program. These are not luxury features. They are the baseline assumption when defenders evaluate a vendor whose product sits at the network edge and terminates remote access. Array Networks’ model, a single PDF behind a support gate with no public index and no follow-up, reads as a legacy network-appliance posture from the early 2000s.

The advisory itself, what’s reconstructible from secondary sources, was competent. The vendor named affected versions, listed mitigations (disabling DesktopDirect, Client Security, VPN client auto-upgrade, Portal User Resources, and IP blacklist rules), and shipped the fixed release within a week. The patch is not the failure. The failure is everything around it. A defender who is not already an Array Networks customer cannot read the canonical advisory. A researcher cannot find a coordinated-disclosure policy to follow. A SOC analyst hunting for indicators cannot pull a vendor-published technical writeup because there isn’t one. The code diff between 9.4.0.481 and 9.4.0.484 has never been documented publicly. The specific URL paths susceptible to the bypass have not appeared in open sources either.

Why this keeps happening

SSL VPN appliances have been the primary nation-state initial-access vector for three years running. Ivanti, Fortinet, Citrix: every quarter a new bug at the network edge gets weaponized inside days. The vendors who get the least scrutiny in that conversation are the small-and-mid-market players whose advisories nobody can find, because nobody reads them, because they are not published. The bug rate at those vendors is not lower. The disclosure visibility is.

Array Networks is not an obscure outfit. It sells AG Series gateways and vxAG virtual appliances into government, finance, and large enterprise environments. The product class is the same one Earth Kasha was hunting through in 2023. That a CVSS 9.8 unauthenticated RCE on this product had to be assigned by MITRE, reported on by Trend Micro, listed by CISA, and covered by the Japanese national police before defenders could form a complete picture is a structural failure, not an accident.

What to expect

If you run AG or vxAG appliances, the order of work is short. Inventory anything at 9.4.0.481 or earlier. Upgrade to 9.4.0.484 or later. If patching is blocked this maintenance window, get the management interface off the public internet, which is where it should have been already under CISA BOD 23-02 logic. Treat any unpatched appliance that has been internet-reachable since March 2023 as potentially compromised until you can prove otherwise, particularly if your sector is one Earth Kasha cares about.

Do not expect Array Networks to publish a post-mortem, a code-diff summary, or hunting guidance. The pattern says they will not.

A vendor that ships a fast patch and no infrastructure to tell anyone about it has not really disclosed the bug. It has filed it.