CVE-2025-66644
CVE-2025-66644
Vexday Risk Score
51Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 7.2EPSS 3.0%KEV simPoC —Nuclei —Metasploit —Patch —
Lifecycle
05 Dec 2025Published on NVD
08 Dec 2025Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short
Array Networks ArrayOS AG versions before 9.4.5.9 contain a vulnerability that allows attackers to inject and execute arbitrary commands on the system. This is a critical security flaw because it gives attackers complete control over the affected device.
Technical detail
Command injection vulnerability (CWE-78) in ArrayOS AG < 9.4.5.9 allows unauthenticated or low-privileged attackers to execute arbitrary OS commands through unsanitized input parameters. The vulnerability was actively exploited in the wild from August to December 2025, indicating high exploitability and potential for widespread compromise of vulnerable appliances.
Summary generated and translated by AI from the official description.
Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected products
Array Networks · ArrayOS AGWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66644https://www.jpcert.or.jp/at/2025/at250024.htmlhttps://x.com/ArraySupport/status/1921373397533032590