Fast Facts

• A command injection flaw in Array AG Series gateways has been exploited since August 2025.
• The vulnerability affects the DesktopDirect remote desktop feature and was patched in May 2025.
• Attackers have used the flaw to install malicious web shells on vulnerable devices in Japan.
• No official CVE identifier has been assigned to the vulnerability yet.
• JPCERT urges immediate updates or disabling of DesktopDirect for unpatched systems.

Invisible Entryways: The Human Cost of Remote Access

Imagine a secure office building with a single, little-known side door that was never properly locked. For months, intruders slip in and out, leaving behind invisible tripwires and listening devices. This is the scenario now confronting Japanese businesses relying on Array Networks' AG Series gateways, after JPCERT/CC confirmed active exploitation of a newly revealed command injection vulnerability.

Inside the Attack: How a Simple Flaw Became a Widespread Threat

The heart of the breach lies in Array's DesktopDirect feature - a tool designed to let employees securely access their work computers from anywhere. But a flaw in how the system processes certain commands allowed attackers to sneak in their own instructions, effectively hijacking the device. The vulnerability, lacking even a formal CVE number, was quietly patched in May 2025, but attackers had already begun targeting unpatched systems by August, dropping web shells - malicious programs that give hackers persistent control - onto devices across Japan.

The attacks, traced to IP address 194.233.100[.]138, remain shrouded in mystery. There's no public evidence yet about who is behind them or how many organizations have been hit. The similarity to a previous 2023 attack, where a Chinese cyber-espionage group called MirrorFace exploited another flaw in the same product line, has raised concerns, but no direct link has been established.

Lessons from the Past: Recurring Weaknesses in Remote Access Tools

This isn't the first time remote access systems have become a favored target. From the infamous VPN hacks of 2021 to repeated breaches of remote desktop solutions worldwide, attackers have consistently exploited overlooked flaws to plant backdoors, steal data, and stage further attacks. In almost every case, the gap between patch release and user action becomes the critical window for compromise.

With remote work now a permanent fixture, the stakes are higher than ever. Secure gateways are supposed to be digital sentries, but as this latest incident shows, even a small overlooked weakness can render the walls meaningless. Experts warn that as long as organizations delay updates or leave unnecessary features enabled, they will remain easy prey for opportunistic hackers and sophisticated nation-state actors alike.

WIKICROOK

• Command Injection: Command Injection is a vulnerability where attackers trick systems into running unauthorized commands by inserting malicious input into user fields or interfaces.
• Web Shell: A web shell is a malicious script uploaded to a server by hackers, allowing them to control the server remotely via a web interface.
• Remote Desktop: Remote Desktop lets users securely access and control a computer from another location, commonly used for remote work and technical support.
• Patch: A patch is a software update released to fix security vulnerabilities or bugs in programs, helping protect devices from cyber threats and improve stability.
• Authentication Bypass: Authentication bypass is a vulnerability that lets attackers skip or trick the login process, gaining access to systems without valid credentials.