嗯,用户让我帮忙总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头,直接写描述就行。首先,我需要仔细阅读这篇文章,理解其主要内容。 文章讲的是威胁行为者利用Array AG系列VPN设备中的一个命令注入漏洞植入网络shell,并创建流氓用户。Array Networks已经在5月份的安全更新中修复了这个漏洞,但没有分配标识符,这使得追踪和补丁管理变得复杂。日本的计算机紧急响应小组(CERT)发布了一个警告,指出黑客自8月以来一直在利用这个漏洞攻击日本的组织。攻击源自IP地址194.233.100[.]138。漏洞影响ArrayOS AG 9.4.5.8及更早版本,包括启用了“DesktopDirect”远程访问功能的AG系列硬件和虚拟设备。JPCERT建议升级到版本9.4.5.9,并提供了如果无法升级的变通方法:禁用DesktopDirect服务或使用URL过滤阻止包含分号的URL访问。Macnica的安全研究员Yutaka Sejiyama报告称,全球有1,831个ArrayAG实例,主要分布在中国、日本和美国。至少有11个主机启用了DesktopDirect功能。由于用户主要集中在亚洲,特别是日本受到攻击较多,日本以外的安全厂商和组织没有给予足够关注。BleepingComputer联系了Array Networks询问是否计划发布CVE-ID和官方公告,但截至发布时间未收到回复。 现在我需要将这些信息浓缩到100字以内。重点包括:漏洞被利用、影响范围、修复情况、建议措施、以及用户分布情况。 可能的总结结构: 威胁行为者利用Array AG系列VPN设备中的命令注入漏洞植入网络shell并创建流氓用户。该漏洞影响ArrayOS AG 9.4.5.8及更早版本,并已被修复但未分配标识符。攻击源自特定IP地址,主要针对日本组织。建议升级或禁用相关功能以缓解风险。 检查字数是否在限制内,并确保信息准确且关键点都涵盖。 </think> 威胁行为者利用Array AG系列VPN设备中的命令注入漏洞植入网络shell并创建流氓用户。该漏洞影响ArrayOS AG 9.4.5.8及更早版本,并已被修复但未分配标识符。攻击源自特定IP地址,主要针对日本组织。建议升级或禁用相关功能以缓解风险。 2025-12-4 23:15:19 Author: www.bleepingcomputer.com(查看原文) 阅读量:4 收藏
Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users.
Array Networks fixed the vulnerability in a May security update, but has not assigned an identifier, complicating efforts to track the flaw and patch management.
An advisory from Japan's Computer Emergency and Response Team (CERT) warns that hackers have been exploiting the vulnerability since at least August in attacks targeting organizations in the country.
The agency reports that the attacks originate from the IP address 194.233.100[.]138, which is also used for communications.
“In the incidents confirmed by JPCERT/CC, a command was executed attempting to place a PHP webshell file in the path /ca/aproxy/webapp/,” reads the bulletin (machine translated).
The flaw impacts ArrayOS AG 9.4.5.8 and earlier versions, including AG Series hardware and virtual appliances with the ‘DesktopDirect’ remote access feature enabled.
JPCERT says that Array OS version 9.4.5.9 addresses the problem and provides the following workarounds if updating is not possible:
- If the DesktopDirect feature is not in use, disable all DesktopDirect services
- Use URL filtering to block access to URLs containing a semicolon
Array Networks AG Series is a line of secure access gateways that rely on SSL VPNs to create encrypted tunnels for secure remote access to corporate networks, applications, desktops, and cloud resources.
Typically, they are used by large organizations and enterprises that need to facilitate remote or mobile work.
Macnica’s security researcher, Yutaka Sejiyama, reported on X that his scans returned 1,831 ArrayAG instances worldwide, primarily in China, Japan, and the United States.
The researcher verified that at least 11 hosts have the DesktopDirect feature enabled, but cautioned that the possibility of more hosts with DesktopDirect active is significant.
“Because this product’s user base is concentrated in Asia and most of the observed attacks are in Japan, security vendors and security organizations outside Japan have not been paying close attention,” Sejiyama told BleepingComputer.
BleepingComputer contacted Array Networks to ask whether they plan to publish a CVE-ID and an official advisory for the actively exploited flaw, but a reply was not available by publication time.
Last year, CISA warned about active exploitation targeting CVE-2023-28461, a critical remote code execution in Array Networks AG and vxAG ArrayOS.
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
如有侵权请联系:admin#unsafe.sh