CVE-2025-66644

HighCISA KEVActive Exploitation

Published: 05 December 2025

Published

05 December 2025

Modified

10 December 2025

KEV Added

08 December 2025

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0120 79.1th percentile

Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Description

Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the command injection vulnerability by requiring timely application of vendor patches, such as upgrading to ArrayOS AG 9.4.5.9 or later.

SI-10 Information Input Validation good match

prevent

Prevents command injection attacks by validating and sanitizing user inputs to block execution of arbitrary commands, directly addressing CWE-78.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to minimize accounts with the high privileges (PR:H) required for exploitation, reducing the attack surface on ArrayOS AG systems.

Security SummaryAI

CVE-2025-66644 is a command injection vulnerability (CWE-78) affecting Array Networks ArrayOS AG versions prior to 9.4.5.9. This flaw allows attackers to execute arbitrary commands on the affected system. The vulnerability received a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability following network-based exploitation with low complexity but requiring high privileges.

Exploitation requires an attacker to have high-level privileges (PR:H) on the target system, such as an authenticated administrative user. Once exploited, attackers can achieve full system compromise, including high impacts across confidentiality, integrity, and availability. In real-world attacks observed from August through December 2025, threat actors leveraged this vulnerability to deploy webshells on ArrayOS AG VPN appliances.

Advisories recommend upgrading to ArrayOS AG version 9.4.5.9 or later to mitigate the vulnerability. The flaw is listed in the CISA Known Exploited Vulnerabilities Catalog, mandating patching by federal agencies. Additional guidance appears in JPCERT advisory AT-2025-0024 and an Array Networks support announcement.

This vulnerability has seen active in-the-wild exploitation, as documented by multiple sources including BleepingComputer reports on webshell deployments.

Details

CWE(s): CWE-78
KEV Date Added: 08 December 2025

Affected Products

arraynetworks

arrayos ag

≤ 9.4.5.9

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Command injection in network-accessible VPN appliance enables exploitation of public-facing application (T1190) and facilitates webshell deployment as observed in real-world attacks (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/
Press/Media Coverage · cve@mitre.org
https://www.jpcert.or.jp/at/2025/at250024.html
Third Party Advisory · cve@mitre.org
https://x.com/ArraySupport/status/1921373397533032590
Third Party Advisory · cve@mitre.org
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66644
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0