VDB
CVE-2023-28461
CVE-2023-28461
PUBLISHED
KEV
CVSS 9.300000190734863 CRITICAL
Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."
EPSS 89.29% · 99.6th percentile
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
EPSS Score
89.29%
99.6th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| n/a | n/a | n/a, n/a |
| arraynetworks | arrayos_ag | 0, 0 |
| arraynetworks | arrayos_ag | 0, 0 |
Timeline
- Mar 15, 2023 CVE Published
- Mar 16, 2023 EPSS Score
- Jun 1, 2023 EPSS Score
- Jul 10, 2023 EPSS Score
- Sep 25, 2023 EPSS Score
- Dec 11, 2023 EPSS Score
- Jan 19, 2024 EPSS Score
- Apr 5, 2024 EPSS Score
- Jun 21, 2024 EPSS Score
- Jul 30, 2024 EPSS Score
- Oct 15, 2024 EPSS Score
- Nov 20, 2024 PoC Published
References
- https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf url
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28461 url
- https://nvd.nist.gov/vuln/detail/CVE-2023-28461 advisory