CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ArrayOS AG VPN Flaw Exploited to Deploy Webshells

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Threat actors are exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users. The flaw, which affects ArrayOS AG 9.4.5.8 and earlier versions, was patched in May but lacks a CVE identifier. Attacks have been observed since at least August, targeting organizations in Japan. The vulnerability is linked to the 'DesktopDirect' remote access feature, and workarounds are available for those unable to update. The attacks have originated from the IP address 194.233.100[.]138. An authentication bypass flaw in the same product (CVE-2023-28461, 9.8) was exploited last year by a China-linked cyber espionage group dubbed MirrorFace, which has a history of targeting Japanese organizations since at least 2019.

Timeline

  1. 05.12.2025 07:40 1 articles · 23h ago

    Historical Context of Similar Attacks by MirrorFace

    An authentication bypass flaw in the same product (CVE-2023-28461, 9.8) was exploited last year by a China-linked cyber espionage group dubbed MirrorFace, which has a history of targeting Japanese organizations since at least 2019.

    Show sources
    Open in new tab
  2. 05.12.2025 01:05 2 articles · 1d ago

    ArrayOS AG VPN Flaw Exploited to Deploy Webshells

    Threat actors have been exploiting a command injection vulnerability in Array AG Series VPN devices to plant webshells and create rogue users. The flaw, affecting ArrayOS AG 9.4.5.8 and earlier versions, was patched in May but lacks a CVE identifier. Attacks have been observed since at least August, targeting organizations in Japan. The vulnerability is linked to the 'DesktopDirect' remote access feature, and workarounds are available for those unable to update. The attacks have originated from the IP address 194.233.100[.]138.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

W3 Total Cache WordPress Plugin Command Injection Vulnerability

A critical unauthenticated command injection vulnerability (CVE-2025-9501) in the W3 Total Cache WordPress plugin allows attackers to execute arbitrary PHP commands on the server by posting a malicious comment. The flaw affects versions prior to 2.8.13 and is actively being exploited. The developer released a patch on October 20, but hundreds of thousands of websites remain vulnerable. A proof-of-concept exploit is scheduled for public release on November 24.

Open in new tab

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution. Recently, threat actors have been exploiting CVE-2025-59287 to distribute ShadowPad malware, a modular backdoor used by Chinese state-sponsored hacking groups. Attackers used PowerCat, certutil, and curl to obtain a system shell and download ShadowPad. The malware is launched via DLL side-loading and comes with anti-detection and persistence techniques.

Open in new tab

Command Injection Vulnerability in Figma MCP

A command injection vulnerability (CVE-2025-53967) in the Figma MCP server allows remote code execution. The flaw, stemming from unsanitized user input, was patched in version 0.6.3. The issue affects developers using AI-powered coding agents like Cursor. The vulnerability could be exploited by attackers on the same network or via DNS rebinding attacks. It was discovered by Imperva in July 2025 and was addressed in the latest release. The flaw resides in the 'src/utils/fetch-with-retry.ts' file, where the curl command is constructed using shell command strings, enabling potential remote code execution. The patch replaces 'child_process.exec()' with 'child_process.execFile()' and implements proper input validation. Users should upgrade to Figma MCP version 0.6.3 or higher, audit systems using vulnerable versions, and review logs for suspicious command execution patterns. There are over 15,000 MCP servers in the world, with many misconfigured and lacking authentication or access controls.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has **reiterated urgent warnings** to U.S. federal agencies after discovering that some organizations incorrectly applied updates for **CVE-2025-20333** and **CVE-2025-20362**, leaving devices marked as 'patched' but still vulnerable to active exploitation. CISA confirmed it is tracking ongoing attacks targeting unpatched Cisco ASA and Firepower devices within Federal Civilian Executive Branch (FCEB) agencies, with over **30,000 devices** remaining exposed globally, down from 45,000 in early October. The vulnerabilities enable unauthenticated remote code execution, unauthorized access to restricted endpoints, and denial-of-service (DoS) attacks. They have been linked to the **ArcaneDoor campaign**, a state-sponsored group active since at least July 2023, which has deployed malware like **RayInitiator** and **LINE VIPER**, manipulated ROM for persistence, and forced devices into reboot loops. CISA’s **Emergency Directive 25-03**, issued in September 2025, mandates federal agencies to account for all affected devices, disconnect end-of-support systems, and apply minimum software versions. The directive also introduced the **RayDetect scanner** to detect compromise evidence in ASA core dumps. Recent findings reveal the same threat actor also exploited **CVE-2025-5777 (Citrix Bleed 2)** and **CVE-2025-20337 (Cisco ISE)** as zero-days, deploying a custom web shell ('IdentityAuditAction') with advanced evasion techniques. The campaign’s indiscriminate targeting and multi-platform exploitation underscore the adversary’s broad capabilities and access to sophisticated tools.

Open in new tab

Critical OS Command Injection Vulnerability in FortiSIEM (CVE-2025-25256) Exploited in the Wild

Fortinet has disclosed a critical OS command injection vulnerability in FortiSIEM, identified as CVE-2025-25256. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to execute unauthorized code or commands via crafted CLI requests. Exploit code for this vulnerability has been observed in the wild. Affected versions include FortiSIEM 6.1 through 6.7.9 and 7.0.0 through 7.3.1. Fortinet advises upgrading to the latest versions and limiting access to the phMonitor port (7900) as a workaround. Additionally, a Fortinet FortiWeb path traversal vulnerability is being actively exploited to create new administrative users on exposed devices without requiring authentication. The vulnerability was silently patched in FortiWeb version 8.0.2. The exploitation activity was first detected early last month, and Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed. Rapid7 observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. The watchTowr team has released an artifact generator tool for the authentication bypass to help identify susceptible devices.

Open in new tab