CVE-2023-28461: Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability (Pentest Lab Guide)

CVE-2023-28461: Technical Deep-Dive (Auto Refreshed)

Generated on 2026-03-23T13:03:37.320Z. This file is automatically regenerated every 30 minutes by the CVE AI enrichment job using web sources (NVD, MITRE, CISA KEV, GitHub).

Executive Technical Summary

Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."

Context preserved from previous revision: Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon." Notes: Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.

Technical Details

CVE: CVE-2023-28461
KEV date added: 2024-11-25
KEV due date: 2024-12-16
NVD published: 2023-03-16
NVD modified: 2025-11-03
MITRE modified: 2025-10-21
CVSS base score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS exploitability score: 3.9
CVSS impact score: 5.9
Attack vector: Network
Attack complexity: Low
Privileges required: None
User interaction: None
Scope: Unchanged
Confidentiality impact: High
Integrity impact: High
Availability impact: High

Versions and Products Impacted

arraynetworks / arrayos ag (versions: <= 9.4.0.481)
n/a / n/a (versions: n/a)
arraynetworks / arrayos_ag (versions: 0)

Weakness Classification

CWE-287
CWE-306

Repositories for Lab Validation (Public Examples)

Ostorlab/KEV | stars: 608 | updated: 2026-03-23 | https://github.com/Ostorlab/KEV
Notes: Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google's Tsunami, Ostorlab's Asteroid and Bug Bounty programs.
packetinside/CISA_BOT | stars: 0 | updated: 2025-08-08 | https://github.com/packetinside/CISA_BOT
Notes: CISA Bot is a GitHub bot that automatically monitors the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. When new vulnerabilities are published in the KEV, the bot creates GitHub issues in this repository with detailed information about each vulnerability.

People and Organizations Mentioned

mitre
Array Networks
AG/vxAG ArrayOS
Ostorlab
packetinside

Practical Defensive Validation (Authorized Only)

Use only isolated environments and systems you own or are explicitly authorized to test.
Snapshot infrastructure before validation and preserve baseline logs (EDR, SIEM, OS, app).
Use arraynetworks / arrayos ag (versions: <= 9.4.0.481) in isolated VM snapshots (vulnerable vs patched) and compare process tree telemetry before/after updates.
Validate command-execution prevention policies (AppLocker/WDAC/EDR) with harmless test binaries only.
Create SIEM detections for suspicious parent-child chains, encoded command usage, and abnormal service creation.

References

This content is for defensive security training and authorized validation only.