Threat actors are actively exploiting a command injection vulnerability in Array AG Series VPN devices to deploy webshells and create unauthorized user accounts. The attacks involve planting malicious webshells that provide persistent access to compromised VPN infrastructure. Attackers are using this access to establish rogue user accounts for continued access. The vulnerability affects Array AG Series VPN appliances and is being actively exploited in the wild. Organizations using these devices should take immediate action to secure their systems.