The security threat involves a command injection vulnerability in the DesktopDirect feature of Array Networks AG Series secure access gateways, which provide remote desktop access capabilities. This vulnerability allows unauthenticated remote attackers to execute arbitrary system commands on affected devices, potentially leading to full system compromise. The flaw was addressed in ArrayOS version 9.4.5.9, with all prior versions including 9.4.5.8 and earlier being vulnerable. JPCERT/CC confirmed active exploitation since August 2025, with attackers deploying web shells to maintain persistent access. The attacks have been observed primarily in Japan, originating from the IP address 194.233.100[.]138. Although no CVE identifier has been assigned, the vulnerability is serious given the ability to execute arbitrary commands without authentication. The DesktopDirect feature, when enabled, exposes this attack surface. The threat actor behind these attacks remains unidentified, but historical context includes a prior critical authentication bypass (CVE-2023-28461) in the same product exploited by a China-linked espionage group known as MirrorFace targeting Japanese organizations. The vulnerability impacts confidentiality and integrity by allowing attackers to execute commands and potentially control the device remotely. The lack of authentication requirement and the remote nature of the attack vector increase the risk. The vendor has released patches, and JPCERT/CC recommends disabling DesktopDirect and applying URL filtering to block semicolons as interim mitigations. The absence of a CVSS score necessitates a severity assessment based on impact and exploitability.

For European organizations, this vulnerability poses significant risks, especially for those using Array Networks AG Series gateways with DesktopDirect enabled to facilitate remote access. Successful exploitation can lead to unauthorized command execution, enabling attackers to deploy web shells, steal sensitive data, disrupt operations, or pivot within networks. This compromises confidentiality, integrity, and potentially availability of critical systems. Given the remote access nature of the product, attackers can bypass perimeter defenses and gain persistent footholds. Organizations in sectors relying heavily on secure remote access, such as finance, healthcare, government, and critical infrastructure, are particularly vulnerable. The ongoing exploitation in Japan indicates active threat actor interest, which could extend to Europe due to similar technology usage. Additionally, the historical targeting of Japanese organizations by sophisticated espionage groups suggests that European entities with strategic importance or similar profiles could be targeted next. The impact is exacerbated if patches are not applied promptly or if DesktopDirect remains enabled without adequate controls.

1. Immediately apply the vendor-released patch by upgrading to ArrayOS version 9.4.5.9 or later to remediate the vulnerability. 2. If immediate patching is not feasible, disable the DesktopDirect feature to eliminate the attack surface temporarily. 3. Implement URL filtering on network gateways and firewalls to block URLs containing semicolons, which are used in command injection payloads. 4. Conduct thorough network monitoring and endpoint detection for indicators of compromise, such as web shells or unusual command execution on Array AG gateways. 5. Restrict management and remote access interfaces to trusted IP addresses and enforce strong access controls. 6. Review and harden configurations related to remote desktop access solutions to minimize exposure. 7. Educate IT and security teams about this specific threat to ensure rapid detection and response. 8. Maintain up-to-date asset inventories to identify all affected devices and ensure comprehensive patching. 9. Consider deploying application-layer firewalls or intrusion prevention systems capable of detecting command injection attempts targeting DesktopDirect. 10. Collaborate with threat intelligence providers to stay informed about emerging exploitation tactics and indicators related to this vulnerability.