Login Sign Up

CVE-2025-66644

7.2 HIGH CISA KEV
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in Array Networks ArrayOS AG VPN appliances. Attackers can execute arbitrary commands on affected systems, potentially gaining full control. Organizations using vulnerable ArrayOS AG VPN appliances are affected.

💻 Affected Systems

Products:
  • Array Networks ArrayOS AG
Versions: All versions before 9.4.5.9
Operating Systems: ArrayOS (custom OS)
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Arrayos Ag by Arraynetworks

View all CVEs affecting Arrayos Ag →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install webshells, steal credentials, pivot to internal networks, and deploy ransomware or other malware.

🟠

Likely Case

Attackers install webshells for persistent access, deploy cryptocurrency miners, or use compromised systems as part of botnets.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though initial compromise of VPN appliance still occurs.

🌐 Internet-Facing: HIGH - VPN appliances are typically internet-facing and actively exploited in the wild.
🏢 Internal Only: MEDIUM - If VPN is only accessible internally, risk is reduced but still significant due to potential lateral movement.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Actively exploited in the wild since August 2025. Exploitation requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.4.5.9

Vendor Advisory: https://x.com/ArraySupport/status/1921373397533032590

Restart Required: Yes

Instructions:

1. Download ArrayOS AG version 9.4.5.9 from Array Networks support portal. 2. Backup current configuration. 3. Apply the update through the web interface or CLI. 4. Reboot the appliance. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to VPN management interface to trusted IP addresses only

Disable Unused Features

all

Disable any unnecessary VPN features or management interfaces

🧯 If You Can't Patch

  • Isolate the VPN appliance in a DMZ with strict firewall rules
  • Implement network segmentation to limit lateral movement from compromised VPN

🔍 How to Verify

Check if Vulnerable:

Check ArrayOS version via web interface (System > About) or CLI command 'show version'

Check Version:

show version

Verify Fix Applied:

Verify version is 9.4.5.9 or later and monitor logs for suspicious activity

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Webshell file creation in web directories
  • Suspicious process execution

Network Indicators:

  • Unusual outbound connections from VPN appliance
  • Traffic to known malicious IPs
  • Anomalous VPN authentication patterns

SIEM Query:

source="arrayos" AND (event_type="command_execution" OR file_creation=".php" OR file_creation=".jsp")

📊 Metadata

CVE ID: CVE-2025-66644
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
EPSS Score: 3.06% exploit probability (86.4th percentile)
CISA KEV: Actively Exploited added Dec 8, 2025
Published: December 5, 2025
Last Updated: December 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66644, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)