CVE-2023-28461

What is Array Networks AG/vxAG?

Array Networks AG Series and vxAG (virtual AG) are SSL VPN and application delivery gateways used by enterprises and government organizations to provide secure remote access to internal applications and networks. Array Networks appliances terminate SSL VPN sessions, enforce access policies, and proxy connections to internal resources — giving them a privileged position at the network perimeter. SSL VPN gateways are prime targets for nation-state actors: compromising a VPN gateway provides access to all VPN session credentials, the internal network segments reachable from the VPN, and often the configuration data of connected enterprise applications.

Overview

CVE-2023-28461 is a critical missing authentication vulnerability in Array Networks AG Series and vxAG ArrayOS that allows an unauthenticated attacker to read local files and execute code on the SSL VPN gateway. The vulnerability was disclosed in March 2023 but was added to CISA's Known Exploited Vulnerabilities catalog nearly 20 months later, in November 2024, following confirmed exploitation by nation-state threat actors — including Salt Typhoon (a China-nexus actor associated with telecommunications and critical infrastructure intrusions). The late KEV addition reflects sustained targeted exploitation of organizations using unpatched Array Networks appliances for high-value network access.

Affected Versions

Technical Details

CWE-287 (Improper Authentication). Array Networks' ArrayOS exposes management and access functionality via HTTP/HTTPS endpoints on the VPN gateway. A missing authentication check on certain critical function endpoints allows an unauthenticated attacker to:

1. Read local files: Access configuration files, SSL certificates, private keys, and credential stores on the appliance without authentication — providing the attacker with VPN configuration data, user credential hashes, and potentially plaintext pre-shared keys.
2. Execute code: Invoke privileged operations on the gateway that execute OS commands or enable further system access, without requiring authentication.

SSL VPN gateways are internet-accessible by design (that is their purpose), meaning the attack surface is always exposed. A successful attacker gains access to the internal network segments routable from the VPN — effectively the same access as any remote employee using the VPN.

Discovery

The vulnerability was identified by security researchers and reported to Array Networks. Array Networks issued a patch in 2023. The 20-month gap to CISA KEV addition suggests the vulnerability was exploited in targeted attacks that took time to be attributed and confirmed.

Exploitation Context

CISA added CVE-2023-28461 to KEV in November 2024 following reports of nation-state exploitation. Salt Typhoon (tracked by Microsoft and others) — a China-nexus threat actor particularly focused on telecommunications providers and critical infrastructure — has been attributed to exploitation of SSL VPN vulnerabilities including CVE-2023-28461 for initial access to targeted networks.

SSL VPN gateways are a recurring high-priority target for Chinese nation-state actors because:

1. They provide immediate network access to the organization's internal environment, including email, file servers, and line-of-business applications.
2. Compromising a VPN gateway allows monitoring of all VPN session traffic, including credentials submitted by legitimate users.
3. VPN appliances often receive delayed patching compared to general server infrastructure.

The ransomwareUse flag reflects that ransomware operators have also used unpatched SSL VPN gateways for initial access, consistent with the broader pattern of ransomware groups exploiting the same N-day vulnerabilities as nation-state actors.

Remediation

1. Upgrade Array Networks AG/vxAG ArrayOS to version 9.4.0.485 or later immediately.
2. Review VPN gateway logs for unauthenticated requests to privileged API endpoints — particularly around the period since March 2023 when the CVE was published.
3. Rotate all credentials accessible through the gateway: VPN pre-shared keys, administrative credentials, SSL certificates and private keys (consider reissuing from a clean state).
4. Audit VPN user accounts for unauthorized additions and review VPN access logs for unusual session origins or connection patterns.
5. Restrict management interface access to dedicated management networks — the administrative interface should not be accessible from internet-facing VPN client interfaces.
6. Treat any confirmed compromise of a VPN gateway as a full network compromise — conduct a thorough investigation of all network segments accessible through the VPN.