CVE-2023-28461 – CVE-2023-28461 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2023-28461?

CVE-2023-28461 has a CVSS score of 9.8 (CRITICAL). CVE-2023-28461 is a critical remote code execution vulnerability in Array Networks AG Series and vxAG SSL VPN gateways. Attackers can exploit this without authentication by manipulating HTTP headers to browse the filesystem and execute arbitrary code. Organizations using affected versions of these VPN appliances are at risk.

📋 TL;DR

CVE-2023-28461 is a critical remote code execution vulnerability in Array Networks AG Series and vxAG SSL VPN gateways. Attackers can exploit this without authentication by manipulating HTTP headers to browse the filesystem and execute arbitrary code. Organizations using affected versions of these VPN appliances are at risk.

💻 Affected Systems

Products:

Array Networks AG Series
Array Networks vxAG

Versions: 9.4.0.481 and earlier

Operating Systems: ArrayOS (proprietary)

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations of affected versions are vulnerable. The vulnerability exists in the SSL VPN gateway component.

📦 What is this software?

Arrayos Ag by Arraynetworks

View all CVEs affecting Arrayos Ag →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the VPN gateway allowing attackers to pivot into internal networks, steal credentials, deploy ransomware, or establish persistent backdoors.

🟠

Likely Case

Data exfiltration, credential harvesting from VPN users, and lateral movement into connected internal networks.

🟢

If Mitigated

Limited impact if network segmentation isolates the VPN gateway and strong monitoring detects exploitation attempts.

🌐 Internet-Facing: HIGH - SSL VPN gateways are typically internet-facing, making them prime targets for unauthenticated remote attacks.

🏢 Internal Only: MEDIUM - If VPN gateway is only accessible internally, risk is reduced but still significant due to potential insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CISA has added this to their Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The vulnerability requires no authentication and has simple exploitation vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 9.4.0.481 (specific fixed version not specified in advisory)

Vendor Advisory: https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf

Restart Required: Yes

Instructions:

1. Contact Array Networks support for the fixed release. 2. Backup current configuration. 3. Apply the firmware update. 4. Reboot the appliance. 5. Verify functionality post-update.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to the VPN gateway management interface to trusted IP addresses only

Configure firewall rules to allow only specific source IPs to access the VPN gateway on management ports

WAF/IPS Mitigation

all

Deploy web application firewall or intrusion prevention system rules to block malicious HTTP headers

Configure WAF/IPS to block requests containing suspicious flags attributes in HTTP headers

🧯 If You Can't Patch

Isolate the VPN gateway in a dedicated network segment with strict egress filtering
Implement enhanced monitoring for unusual file access patterns or unauthorized process execution on the appliance

🔍 How to Verify

Check if Vulnerable:

Check the firmware version via the web admin interface or CLI. If version is 9.4.0.481 or earlier, the system is vulnerable.

Check Version:

From CLI: show version | include AG

Verify Fix Applied:

Verify firmware version is newer than 9.4.0.481 and test that HTTP header manipulation no longer allows filesystem access.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests with flags attributes in headers
Unexpected file access patterns in system logs
Unauthorized process execution events

Network Indicators:

HTTP requests to VPN gateway with manipulated headers
Unusual outbound connections from VPN appliance

SIEM Query:

source="vpn-gateway" AND (http_header="*flags*" OR process="unexpected_executable")

📊 Metadata

CVE ID: CVE-2023-28461

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: March 15, 2023

Last Updated: November 3, 2025

🔗 References

https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf Mitigation,Vendor Advisory
https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf Mitigation,Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28461 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28461, you might also want to check these: