CVE-2023-28461 in Array AGinfo

Summary

by MITRE • 03/16/2023

Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 10/11/2025

The vulnerability identified as CVE-2023-28461 affects Array Networks Array AG Series and vxAG appliances running firmware versions 9.4.0.481 and earlier. This critical security flaw represents a remote code execution vulnerability that stems from improper access controls within the SSL VPN gateway implementation. The vulnerability specifically manifests through an insecure direct object reference issue that allows unauthenticated attackers to traverse the filesystem through crafted HTTP headers containing flags attributes. This represents a significant bypass of the authentication mechanisms that should normally protect access to system resources and administrative functions.

The technical implementation of this vulnerability resides in how the SSL VPN gateway processes HTTP headers, particularly when handling flags attributes that are not properly validated or sanitized. Attackers can exploit this weakness by crafting malicious HTTP requests that include specific flag parameters in the header, which then enables filesystem browsing capabilities without requiring valid authentication credentials. The vulnerability is particularly concerning because it operates at the application layer and can be exploited remotely, meaning that an attacker does not need physical access to the network or any prior credentials to initiate the attack. This flaw aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and represents a classic case of insecure file access through web interfaces. The vulnerability's exploitation pathway follows the ATT&CK technique T1190 for exploiting vulnerabilities in remote services and T1071.004 for application layer protocol usage.

The operational impact of this vulnerability extends beyond simple information disclosure to encompass complete system compromise. Once an attacker successfully exploits the filesystem browsing capability, they can potentially access sensitive system files, configuration data, and administrative interfaces that should normally be protected. The vulnerability enables attackers to gather intelligence about the system architecture, identify potential attack vectors, and ultimately escalate privileges to achieve full system control. This represents a critical escalation path that could lead to persistent access, data exfiltration, and disruption of critical network services. Organizations relying on Array Networks appliances for remote access and security functions face significant risk of unauthorized access to their network infrastructure, potentially compromising the security of the entire network perimeter that these devices protect.

The vendor's advisory released on March 9, 2023, acknowledged the severity of the issue and indicated that a fix would be available in an upcoming release, though no specific timeline was provided. This delay in remediation creates a window of opportunity for attackers to exploit the vulnerability in the wild, particularly targeting organizations that may not immediately patch their systems. Security practitioners should implement immediate defensive measures including network segmentation, monitoring for suspicious HTTP header patterns, and access control restrictions to limit exposure while waiting for the official vendor patch. The vulnerability demonstrates the importance of maintaining current firmware versions and implementing proper network monitoring to detect anomalous access patterns that may indicate exploitation attempts. Organizations should also consider implementing intrusion detection systems that can identify and alert on specific HTTP header patterns associated with this vulnerability, as well as maintaining comprehensive backup and recovery procedures in case of successful exploitation.

Reservation

03/15/2023

Disclosure

03/16/2023

Moderation

accepted

CPE

ready

EPSS

0.67645

KEV

yes

Activities

very low

Campaigns

1 (confirmed)

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!