Hacker groups have exploited a security gap in Array AG Series corporate gateways, implanting covert management micro-programs and creating fraudulent user accounts without the administrator’s knowledge. The flaw, tracked as CVE-2025-66644, enabled arbitrary command execution on the device, granting attackers the ability to manipulate the system environment as though they possessed full, privileged access.
The problem grew markedly more acute after a warning from JPCERT/CC: the Japanese response team established that the attacks have been ongoing since at least August and are aimed primarily at local organizations. Analysts discovered that the delivery of malicious components — and all subsequent activity — originated from a single address, 194.233.100[.]138, which served not only as the entry point, but also as the command node for compromised machines. In several investigated cases, adversaries attempted to upload a PHP script into the /ca/aproxy/webapp/ directory — a script capable of granting operators full control over traffic, redirecting requests, and carrying out covert tasks.
All versions of ArrayOS AG prior to 9.4.5.8 are vulnerable, including both hardware appliances and virtualized instances with the DesktopDirect module enabled. This module introduces additional functionality into the system — functionality that proved susceptible to injection. Researchers emphasize that updating to 9.4.5.9 fully eliminates the flaw. For organizations unable to patch immediately, temporary mitigations include disabling all DesktopDirect services if remote desktop access is not required, and filtering requests containing semicolons — a character the attackers rely on when crafting malicious payloads, making such filtering an effective means of reducing reinfection risk.
The Array AG Series occupies a prominent position in the infrastructure of large enterprises. These devices establish encrypted SSL channels through which employees access internal applications, virtual desktops, and cloud resources. Such gateways are frequently deployed in environments that demand reliable operation both inside and outside corporate offices — meaning that any compromise can disrupt a broad set of critical business processes at once.
After the alarming reports emerged, Macnica researcher Yutaka Sezuyama performed an internet-wide survey of exposed devices. His scan identified 1,831 instances worldwide, with concentrations in China, Japan, and the United States. At least 11 nodes were confirmed to be running active DesktopDirect, though the true figure is likely higher, as many systems remain hidden behind corporate access policies and network-masking tools.
Sezuyama also highlighted a striking imbalance in how different regions perceive the threat. Outside Asia, he noted, organizations treat the issue with far less urgency; international firms tend to prioritize threats targeting more ubiquitous platforms, while attacks on the Array AG Series rarely appear in global incident-response reports. As a result, the scale of exploitation remained underestimated for a considerable period.
Journalists sought clarification from Array Networks on whether the company intends to publish a formal advisory and assign a CVE identifier, but as of now the vendor has offered no comment. Meanwhile, this is not the first time hardware from the AG line has been targeted. Just a year earlier, CISA documented active exploitation of CVE-2023-28461, a critical flaw that allowed code execution on both AG and vxAG platforms.