What happened
CISA added CVE-2023-28461 to the Known Exploited Vulnerabilities catalog on 2024-11-25, mandating remediation by 2024-12-16 for federal agencies CISA KEV.
The flaw impacts Array Networks AG and vxAG systems running ArrayOS and is actively exploited in the wild per the KEV listing CISA KEV.
CISA describes this as “Missing Authentication for Critical Function,” mapping to CWE-306 in the entry metadata for the CVE CISA KEV.
NVD confirms the vulnerability allows an attacker to read local files and execute code on the SSL VPN gateway component of the appliance NVD.
The CVE record is published under CVE-2023-28461 with the described impact and affected product family, corroborating the advisory details MITRE CVE.
CISA notes exploitation associated with ransomware operations for this entry, signaling criminal adoption beyond opportunistic probing CISA KEV.
Why it matters
This is a pre-auth class bug by definition—authentication is missing on a critical function—placing compromise before user validation on an edge device NVD.
When the target is an SSL VPN gateway, code execution and file read risks extend to credential theft, session hijack, and rapid lateral movement from a trusted access point NVD.
CISA’s KEV designation means the vulnerability is confirmed exploited in the wild, which historically correlates with broad scanning and weaponization windows closing fast CISA KEV.
Ransomware operators prioritize perimeter appliance bugs with pre-auth reach because they bypass MFA and user-based controls entirely at the ingress tier CISA KEV.
Organizations running AG/vxAG ArrayOS should assume adversary interest and treat remediation as a production-outage-level priority until validated fixed or mitigated NVD.
Technical detail
CVE-2023-28461 stems from “Missing Authentication for Critical Function” (CWE-306), meaning a sensitive operation is exposed without proper auth gating NVD.
NVD states exploitation enables local file read and arbitrary code execution directly on the SSL VPN gateway, implying attacker control on the appliance itself NVD.
The affected product family is Array Networks AG and vxAG running ArrayOS, per the canonical CVE records and KEV listing alignment MITRE CVE.
Because the vulnerable surface is on the gateway, any successful exploit operates at a high-privilege choke point for remote access into internal networks NVD.
CISA’s KEV entry marks this issue as actively exploited and assigns a due date for remediation actions, indicating concrete abuse is observed by defenders CISA KEV.
The CVE record exists in the authoritative MITRE corpus and is synchronized across NVD, ensuring vendor and scope identification is consistent for responders MITRE CVE.
Defense
CISA mandates: apply mitigations per vendor instructions or discontinue use if mitigations are unavailable, with a due date of 2024-12-16 for federal entities CISA KEV.
Treat any exposed Array Networks AG/vxAG ArrayOS VPN gateway as high risk until patch/mitigation is verified, prioritizing assets reachable from the internet first NVD.
Use the KEV entry as a tracking object in vulnerability management, ensuring programmatic exception windows do not extend past the CISA due date CISA KEV.
If immediate remediation is not possible, remove the device from edge exposure and restrict access paths while you validate compensations and recovery procedures CISA KEV.
Document asset ownership and business impact for each AG/vxAG device to accelerate maintenance windows and rollback if unexpected behavior occurs post-fix MITRE CVE.
After mitigation, conduct integrity checks of the gateway, rotate credentials that may have been present on the device, and review access logs for anomalies NVD.
Lyrie Verdict
Pre-auth exploitation on a perimeter SSL VPN gateway is exactly where human-in-the-loop breaks; detection and containment must execute autonomously and instantly CISA KEV.
Lyrie treats a KEV addition as a machine-speed trigger: we automatically flag AG/vxAG ArrayOS assets, elevate policy to high-risk, and enforce rapid isolation workflows on suspicious activity bursts CISA KEV.
Our detection strategy composes two signals in real time: unauthenticated interaction patterns against the gateway and subsequent indicators consistent with code execution or file access on the device NVD.
The platform continuously verifies remediation state against the CVE record and suppresses re-exposure by policy if the device drifts from the fixed/mitigated posture after deployment MITRE CVE.
Against ransomware crews moving at scan-to-exploit speed, Lyrie closes the window by converting this KEV signal into autonomous controls before an operator ever sees an alert CISA KEV.
Lyrie Verdict
Pre-auth exploitation on a perimeter SSL VPN gateway is exactly where human-in-the-loop breaks; detection and containment must execute autonomously and instantly. Lyrie treats a KEV addition as a machine-speed trigger: we automatically flag AG/vxAG ArrayOS assets, elevate policy to high-risk, and enforce rapid isolation workflows on suspicious activity bursts. Our detection strategy composes two signals in real time: unauthenticated interaction patterns against the gateway and subsequent indicators consistent with code execution or file access on the device. The platform continuously verifies remediation state against the CVE record and suppresses re-exposure by policy if the device drifts from the fixed/mitigated posture after deployment. Against ransomware crews moving at scan-to-exploit speed, Lyrie converts this KEV signal into autonomous controls before an operator ever sees an alert.