Executive Summary
In mid-2025, JPCERT/CC reported that a command injection vulnerability in Array Networks AG Series secure access gateways had been actively exploited in the wild since at least August of that year. The flaw, residing in the DesktopDirect remote desktop access feature, allowed unauthenticated attackers to execute arbitrary commands on targeted devices. The vulnerability, lacking a CVE at the time of disclosure, was patched by Array Networks in May 2025, but unpatched systems remained exposed to attacks that could lead to further compromise and unauthorized network access.
This incident underscores the persistent risks of unpatched infrastructure and weak segmentation in network environments. The rise of zero-day exploits targeting remote access solutions combined with increased regulatory scrutiny makes rapid detection, patching, and least privilege policy enforcement more critical than ever.
Why This Matters Now
Exploitation of command injection flaws in critical network gateways is accelerating, exposing organizations to lateral movement, data theft, and supply chain risk. As attackers focus on remote access products, organizations must urgently reassess patch hygiene, monitoring, and segmentation controls to prevent deep network compromise.
Attack Path Analysis
Attackers exploited a command injection flaw in Array AG Series gateways' DesktopDirect component to gain initial access. Leveraging remote command execution, they escalated privileges to obtain deeper system access. The attackers then performed lateral movement within the internal network, possibly traversing to other workloads or regions. They established command and control connections to maintain persistence and issue further commands. Data or credentials may have been exfiltrated over egress channels using encrypted or covert traffic. The likely impact included continued unauthorized access, risk of data theft, and disruption of secure access services.
Kill Chain Progression
Initial Compromise
Description
Exploitation of a command injection vulnerability in the Array AG Series gateway's DesktopDirect solution allowed remote attacker access.
Related CVEs
CVE-2025-66644
CVSS 7.2A command injection vulnerability in Array Networks ArrayOS AG before version 9.4.5.9 allows authenticated remote attackers to execute arbitrary commands on the system.
Affected Products:
Array Networks ArrayOS AG – < 9.4.5.9
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: Unix Shell
Exploitation of Remote Services
Valid Accounts
Impair Defenses: Disable or Modify Tools
OS Credential Dumping
Network Service Discovery
Phishing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Timely Installation of Security Updates
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Device Security Posture
Control ID: Pillar 2.1
NIS2 Directive – Vulnerability Handling and Disclosure
Control ID: Article 21(2)d
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Array AG gateway command injection enables unauthorized access to secure remote desktop connections, compromising financial data and violating compliance frameworks.
Health Care / Life Sciences
DesktopDirect vulnerability exposes patient data through compromised secure access gateways, creating HIPAA violations and enabling lateral movement attacks.
Government Administration
Network infrastructure attacks on secure gateways threaten government remote access systems, potentially exposing sensitive data and critical administrative functions.
Information Technology/IT
Command injection exploits in secure access gateways directly impact IT infrastructure, enabling threat actors to compromise east-west traffic security.
Sources
- JPCERT Confirms Active Command Injection Attacks on Array AG Gatewayshttps://thehackernews.com/2025/12/jpcert-confirms-active-command.htmlVerified
- Array Networks Security Advisory: AG/vxAG Command Injection Vulnerability ID-94555https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_ID-94555_Rev1.pdfVerified
- Array Networks Array AGシリーズにおけるコマンドインジェクションの脆弱性に関する注意喚起https://www.jpcert.or.jp/at/2025/at250024.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF-based controls, including zero trust segmentation, east-west traffic security, egress enforcement, and real-time threat detection, would have significantly limited attacker movement and data loss during this attack. These capabilities constrain lateral movement, promptly detect anomalies, and enforce policy to prevent command and control or exfiltration via the cloud network.
Control: Zero Trust Segmentation
Mitigation: Reduced accessible attack surface and exposure of gateway management interfaces.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of suspicious privilege escalation or abnormal system behavior.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized internal communications and lateral movement paths.
Control: Egress Security & Policy Enforcement
Mitigation: Identified and stopped suspicious outbound C2 traffic.
Control: Cloud Firewall (ACF)
Mitigation: Prevented unapproved data egress by enforcing strict outbound firewall policies.
Rapid visibility into attack blast radius and automated incident response.
Impact at a Glance
Affected Business Functions
- Remote Access Services
- Network Security Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive corporate data due to unauthorized access facilitated by the vulnerability.
Recommended Actions
Key Takeaways & Next Steps
- • Implement zero trust segmentation to restrict access to management interfaces and prevent lateral movement from compromised devices.
- • Activate east-west traffic security to monitor and control workload-to-workload communications within cloud and hybrid environments.
- • Enforce outbound egress and application policies to block unauthorized command and control or exfiltration attempts from critical infrastructure.
- • Deploy real-time threat detection and anomaly response to rapidly identify privilege escalation and malicious behaviors.
- • Strengthen centralized visibility with multicloud observability and automated policy enforcement for rapid incident detection and containment.
