The US CISA added Array Networks’ vulnerability to its Known Exploited Vulnerability Catalog based on the evidence of active exploitation
The vulnerability Array Networks AG and vxAG ArrayOS with CWE-306 contain a missing authentication for critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway.
Arbitrary File Read Vulnerability in Array AG/vxAG Revision History Overview Array AG/vxAG remote code execution vulnerability is a web security vulnerability that allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway using flags attribute in HTTP header without authentication.
The vulnerability has NO impact on AVX, APV, ASF, and AG/vxAG (running ArrayOS AG 10.x versions) series products. For Array AG/vxAG series products running ArrayOS AG 9.x versions, attackers may exploit this vulnerability without authentication.
CISA has set December 12, 2024, as a deadline for federal agencies to remediate the vulnerability
