CVE-2025-66644
CVE-2025-66644
In short
Array Networks ArrayOS AG versions before 9.4.5.9 contain a vulnerability that allows attackers to inject and execute arbitrary commands on the system. This is a critical security flaw because it gives attackers complete control over the affected device.
Technical detail
Command injection vulnerability (CWE-78) in ArrayOS AG < 9.4.5.9 allows unauthenticated or low-privileged attackers to execute arbitrary OS commands through unsanitized input parameters. The vulnerability was actively exploited in the wild from August to December 2025, indicating high exploitability and potential for widespread compromise of vulnerable appliances.
Summary generated and translated by AI from the official description.
Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
Array Networks · ArrayOS AGWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66644https://www.jpcert.or.jp/at/2025/at250024.htmlhttps://x.com/ArraySupport/status/1921373397533032590