CISA adds vulnerabilities in Array Networks AG and vxAG ArrayOS to the Known Exploited Vulnerabilities (KEV) catalog.

423/67 Wednesday, November 27, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-28461, with a CVSS score of 9.8, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability affects Array Networks AG Series and vxAG ArrayOS (version 9.4.0.481 and earlier).

The vulnerability allows attackers to exploit the SSL VPN Gateway through unauthenticated access to system files. By sending HTTP requests with the flags attribute in the header and leveraging a vulnerable URL, attackers can execute remote code and take control of the system.

To mitigate and reduce the risk of exploitation, agencies under the Federal Civilian Executive Branch (FCEB) are required to patch the vulnerability within the specified timeline. CISA has mandated that federal agencies remediate this vulnerability by December 16, 2024, to prevent potential exploitation.

Source https://securityaffairs.com/171395/hacking/u-s-cisa-adds-array-networks-ag-and-vxag-arrayos-flaw-to-its-known-exploited-vulnerabilities-catalog.html