Overview
- The command injection issue affects ArrayOS AG 9.4.5.8 and earlier and is addressed in ArrayOS 9.4.5.9 released on May 11, 2025.
- Confirmed incidents since August 2025 involve attempts to drop PHP webshells at /ca/aproxy/webapp/ and the creation of unauthorized users.
- JPCERT/CC says observed attack traffic has originated from IP address 194.233.100[.]138.
- If immediate patching is not possible, JPCERT/CC advises disabling DesktopDirect when unused and filtering URLs that contain a semicolon.
- Research scans identified 1,831 exposed ArrayAG instances worldwide with at least 11 confirmed hosts running DesktopDirect, while the overall scale and actor attribution remain unknown.