CVE-2025-66644

Published: Dec 5, 2025Modified: Dec 10, 2025CISA KEV

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.

Affected (1)

Products: Arraynetworks: Arrayos Ag

1 product

Configuration A

1 vulnerable · 14 platform

Vulnerable Software	Affected Versions
Arraynetworks Arrayos Ag	Before 9.4.5.9

Running on/with	Platform Versions
Arraynetworks Ag1000	All versions
Arraynetworks Ag1000t	All versions
Arraynetworks Ag1000v5	All versions
Arraynetworks Ag1100	All versions
Arraynetworks Ag1100v5	All versions
Arraynetworks Ag1150	All versions
Arraynetworks Ag1200	All versions
Arraynetworks Ag1200v5	All versions
Arraynetworks Ag1500	All versions
Arraynetworks Ag1500fips	All versions
Arraynetworks Ag1500v5	All versions
Arraynetworks Ag1600	All versions
Arraynetworks Ag1600v5	All versions
Arraynetworks Vxag	All versions

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/

Source: cve@mitre.org

Press/Media Coverage

https://www.jpcert.or.jp/at/2025/at250024.html

Source: cve@mitre.org

Third Party Advisory

https://x.com/ArraySupport/status/1921373397533032590

Source: cve@mitre.org

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66644

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.