CVE-2023-28461 Array Networks CVE debrief

Who should care

Administrators and security teams responsible for Array Networks AG/vxAG ArrayOS appliances, along with incident responders and vulnerability management teams that track CISA KEV items.

Technical summary

The supplied sources describe CVE-2023-28461 as a missing authentication for a critical function in Array Networks AG/vxAG ArrayOS. CISA lists the vulnerability as actively exploited and associates it with known ransomware campaign use. The official remediation guidance in the KEV record is to apply mitigations per vendor instructions, or stop using the product if mitigations are not available.

Defensive priority

Critical: CISA KEV inclusion and known ransomware campaign use indicate urgent remediation should be prioritized immediately.

Recommended defensive actions

• Confirm whether any Array Networks AG/vxAG ArrayOS instances are in service.
• Check vendor guidance linked from the CISA KEV entry and apply the recommended mitigations immediately.
• If no effective mitigation is available, plan to discontinue use of the product as directed by CISA.
• Validate exposure and inventory, then monitor for signs of compromise on affected systems.
• Track remediation status as an urgent vulnerability-management item until fully addressed.

Evidence notes

Source material ties CVE-2023-28461 to Array Networks AG/vxAG ArrayOS and classifies it as a missing authentication for a critical function. The CISA KEV entry marks it as known exploited, notes known ransomware campaign use, and directs defenders to apply vendor mitigations or discontinue use if mitigations are unavailable. Supplied timing fields place the KEV addition and published record date at 2024-11-25, with remediation due 2024-12-16.

Official resources