On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included a recently patched critical vulnerability affecting Array Networks AG and vxAG secure access gateways in its Known Exploited Vulnerabilities (KEV) catalog. This addition follows credible reports indicating active exploitation of the flaw in real-world scenarios.
The vulnerability, designated as CVE-2023-28461, carries a CVSS score of 9.8 and pertains to a significant case of missing authentication, allowing remote code execution. Array Networks addressed this security deficiency with a patch (version 9.4.0.484) released in March 2023.
Array Networks noted that this vulnerability enables an attacker to navigate the filesystem or execute arbitrary code on the SSL VPN gateway using specific attributes within HTTP headers, without requiring authentication. The exploitation can occur through a susceptible URL, further complicating the security landscape for organizations reliant on these systems.
The KEV catalog update arrives shortly after cybersecurity firm Trend Micro reported that a China-aligned cyber espionage group, known as Earth Kasha—or MirrorFace—has been exploiting vulnerabilities in publicly accessible enterprise products, including CVE-2023-28461, Proself (CVE-2023-45727), and Fortinet FortiOS/FortiProxy (CVE-2023-27997) for initial access.
Earth Kasha has a history of targeting Japanese entities, although their recent activities have also extended to entities in Taiwan, India, and Europe. Earlier this month, ESET revealed that Earth Kasha launched a campaign against an unidentified diplomatic entity in the European Union, leveraging the upcoming World Expo 2025 in Osaka as bait to introduce a backdoor known as ANEL.
In light of the ongoing exploitation of these vulnerabilities, CISA strongly recommends that Federal Civilian Executive Branch (FCEB) agencies implement the necessary patches by December 16, 2024, to safeguard their networks against potential intrusions.
Recent disclosures indicate that 15 Chinese hacking groups, among a total of 60 identified threat actors, have been linked to the exploitation of at least one of the top fifteen vulnerabilities in 2023, according to findings by VulnCheck. The company has identified over 440,000 internet-exposed systems that may be vulnerable to these attacks.
VulnCheck’s Patrick Garrity emphasized the need for organizations to assess their exposure to these technologies, enhance visibility of possible risks, and employ robust threat intelligence strategies. Strong patch management practices are critical, along with implementing mitigative measures such as reducing the internet-facing footprint of devices when possible.
