ArrayOS AG VPN Vulnerability Exploited: Threat Actors Plant Webshells via Command Injection (2024)
Executive Summary
In early June 2024, threat actors began actively exploiting a command injection vulnerability in Array Networks AG Series VPN devices, targeting organizations and critical infrastructure globally. Attackers leveraged the flaw to plant malicious webshells and create rogue administrative users, gaining persistent access to internal networks. The observed attacks allowed adversaries to bypass normal authentication and move laterally, posing significant operational risks by exposing sensitive internal systems and enabling further exploitation. The breach heightened concerns about the security of perimeter VPN appliances and the need for urgent patching.
This incident is especially significant as attackers rapidly weaponize new vulnerabilities in edge infrastructure, reflecting a persistent trend of chaining VPN flaws to compromise enterprise environments. Heightened regulatory scrutiny and rising sophistication in attacks on remote access solutions underscore the urgent need for enhanced security controls and vigilant vulnerability management.
Why This Matters Now
The ongoing exploitation of unpatched VPN appliances highlights the critical risk of relying on perimeter defense tools that lack modern security controls. Given the accelerated time-to-weaponization for zero-day vulnerabilities, organizations must act swiftly to inventory, patch, and monitor external-facing infrastructure, or risk serious breaches involving lateral movement and credential theft.
Attack Path Analysis
Attackers exploited a command injection vulnerability in ArrayOS AG VPN devices to gain initial access and deploy webshells. They created rogue user accounts to escalate privileges, then potentially moved laterally within the internal network using the compromised VPN device. The attackers established command and control using the webshells, enabling persistent communication with compromised systems. Sensitive data could then be exfiltrated via the VPN or webshell channels. Finally, the impact could include persistent backdoors, further compromise, or data loss.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited an exposed command injection vulnerability (CVE) in ArrayOS AG VPN devices to gain unauthorized access and deploy webshells.
Related CVEs
CVE-2025-66644
CVSS 7.2A command injection vulnerability in Array Networks ArrayOS AG before version 9.4.5.9 allows authenticated remote attackers to execute arbitrary commands, leading to potential system compromise.
Affected Products:
Array Networks ArrayOS AG – < 9.4.5.9
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: PowerShell
Server Software Component: Web Shell
Create Account
Valid Accounts
Exploitation for Defense Evasion
Process Injection
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Public-Facing Application Vulnerability Management
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Vulnerability Handling and Disclosure
Control ID: Article 21(2)(d)
DORA – ICT Risk Management
Control ID: Article 9(2)
CISA ZTMM 2.0 – Account Management and Control
Control ID: Identity Pillar PR.ACC-1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Array AG VPN exploitation enables network infrastructure compromise, threatening encrypted traffic and egress security critical for financial compliance and data protection.
Health Care / Life Sciences
Webshell deployment through VPN vulnerabilities compromises patient data protection, violating HIPAA requirements for secure network access and encrypted communications.
Government Administration
Command injection attacks on VPN infrastructure create unauthorized access pathways, undermining zero trust segmentation and multicloud visibility essential for government security.
Information Technology/IT
Array VPN exploitation directly impacts IT service providers managing client networks, enabling lateral movement and threatening managed security service delivery capabilities.
Sources
- Hackers are exploiting ArrayOS AG VPN flaw to plant webshellshttps://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/Verified
- Array Networks Security Advisory: Command Injection Attackshttps://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_Command_Injection_Attacks.pdfVerified
- JPCERT/CC Alert: Active Exploitation of ArrayOS AG Command Injection Vulnerabilityhttps://www.jpcert.or.jp/at/2025/at250024.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls such as segmentation, East-West traffic security, egress policy enforcement, and runtime anomaly detection could have prevented or limited each stage of this attack by shrinking the attack surface, detecting rogue access, and blocking malicious outbound communications.
Control: Cloud Firewall (ACF) + Inline IPS (Suricata)
Mitigation: Malicious exploit traffic would have been blocked or detected at the network perimeter.
Control: Zero Trust Segmentation
Mitigation: Identity-based least privilege policies could have limited or alerted on unauthorized privilege elevation.
Control: East-West Traffic Security
Mitigation: Unusual workload-to-workload or service-to-service traffic would be monitored, blocked, or flagged.
Control: Threat Detection & Anomaly Response
Mitigation: Outbound C2 traffic or unusual server behaviors trigger immediate alerting and response.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data transfers to unapproved destinations are blocked and logged.
Post-compromise activities such as persistence mechanisms and anomalous configurations are detected for rapid remediation.
Impact at a Glance
Affected Business Functions
- Remote Access Services
- Network Security Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive corporate data due to unauthorized access facilitated by webshell deployment.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy inline IPS and cloud firewall controls to block exploitation of vulnerable VPN appliances.
- • Enforce Zero Trust Segmentation to ensure least privilege and prevent movement by rogue or compromised accounts.
- • Implement East-West traffic security to detect and restrict unauthorized lateral movement within cloud and hybrid networks.
- • Strengthen egress policy enforcement to block C2 communication and prevent sensitive data leakage.
- • Maintain continuous threat detection and anomaly response to rapidly identify persistence mechanisms and respond to active threats.
