Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Mon, 10 Feb 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2024-11-25'}


Mon, 02 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2024-11-25'}


Mon, 25 Nov 2024 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862

Mon, 25 Nov 2024 18:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2024-11-25'}


Mon, 25 Nov 2024 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306

Mon, 25 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
CPEs cpe:2.3:o:arraynetworks:arrayos_ag:-:*:*:*:*:*:*:*
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2025-07-30T01:37:29.659Z

Reserved: 2023-03-15T00:00:00.000Z

Link: CVE-2023-28461

cve-icon Vulnrichment

Updated: 2024-08-02T12:38:25.279Z

cve-icon NVD

Status : Analyzed

Published: 2023-03-15T23:15:10.070

Modified: 2025-03-14T20:01:09.890

Link: CVE-2023-28461

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.