Array Networks, a manufacturer of network security products, has issued a warning regarding a critical security vulnerability in its SSL VPN gateway. The vulnerability affects Array AG and vxAG products and could allow malicious actors to execute malicious code from the network without prior registration.
In addition to the SSL VPN gateway vulnerability, attackers could also exploit a vulnerability in Array APV to remotely inject commands.
The manufacturer has issued a security advisory stating that the SSL VPN gateway vulnerability is critical and affects ArrayOS AG 9.4.0.481 or older versions of Array AG and vxAG devices. An updated version is expected to be available soon and will correct the underlying bugs (CVE-2023-28461).
A command injection vulnerability was also found in Array APV products. After logging on to an affected appliance with administrative privileges, attackers can execute arbitrary shell code by sending a crafted packet (CVE-2023-28460).
This issue has been fixed in ArrayOS APV 8.6.1.262 or later and 10.4.2.93 or later, according to another security advisory by the company. The updated software will be available for download from the Array Networks support portal. IT managers will need access data to download the update.
Other manufacturers have also had vulnerabilities in their SSL VPN gateways, some of which have been exploited by cybercriminals before security updates were available. Sonicwall and Fortinet are examples of companies that have had to address similar issues in the past.
Overall, it is essential for organizations to monitor and update their network security products regularly to minimize the risk of cyber attacks.
