Arrayos Ag

Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.

Published: 2025-12-05T00:00:00.000Z
Updated: 2026-02-26T16:57:31.054Z

MotionPro in Array ArrayOS AG before 9.4.0.505 on AG and vxAG allows remote command execution via crafted packets. AG and vxAG 9.3.0.259.x are unaffected.

Published: 2023-12-22T00:00:00.000Z
Updated: 2025-04-23T16:20:10.464Z

Array AG OS before 9.4.0.499 allows denial of service: remote attackers can cause system service processes to crash through abnormal HTTP operations.

Published: 2023-08-25T00:00:00.000Z
Updated: 2024-10-02T17:57:16.988Z

Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."

Published: 2023-03-15T00:00:00.000Z
Updated: 2025-10-21T23:15:23.174Z

The user interface of Array Networks AG Series and vxAG through 9.4.0.470 could allow a remote attacker to use the gdb tool to overwrite the backend function call stack after accessing the system with administrator privileges. A successful exploit could leverage this vulnerability in the backend binary file that handles the user interface to a cause denial of service attack. This is fixed in AG 9.4.0.481.

Published: 2023-02-03T00:00:00.000Z
Updated: 2025-03-26T14:55:05.017Z

Array Networks AG/vxAG with ArrayOS AG before 9.4.0.469 allows unauthenticated command injection that leads to privilege escalation and control of the system. NOTE: ArrayOS AG 10.x is unaffected.

Published: 2022-10-12T00:00:00.000Z
Updated: 2025-05-15T17:55:18.203Z