CVE-2025-66644

HighCISA KEVActive ExploitationRCE

Published: 05 December 2025

Published

05 December 2025

Modified

10 December 2025

KEV Added

08 December 2025

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0154 81.6th percentile

Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66644 is a high-severity OS Command Injection (CWE-78) vulnerability in Arraynetworks Arrayos Ag. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the command injection vulnerability by requiring timely application of vendor patches, such as upgrading to ArrayOS AG 9.4.5.9 or later.

SI-10 Information Input Validation good match

prevent

Prevents command injection attacks by validating and sanitizing user inputs to block execution of arbitrary commands, directly addressing CWE-78.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to minimize accounts with the high privileges (PR:H) required for exploitation, reducing the attack surface on ArrayOS AG systems.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Command injection in network-accessible VPN appliance enables exploitation of public-facing application (T1190) and facilitates webshell deployment as observed in real-world attacks (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.

Deeper analysisAI

CVE-2025-66644 is a command injection vulnerability (CWE-78) affecting Array Networks ArrayOS AG versions prior to 9.4.5.9. This flaw allows attackers to execute arbitrary commands on the affected system. The vulnerability received a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability following network-based exploitation with low complexity but requiring high privileges.

Exploitation requires an attacker to have high-level privileges (PR:H) on the target system, such as an authenticated administrative user. Once exploited, attackers can achieve full system compromise, including high impacts across confidentiality, integrity, and availability. In real-world attacks observed from August through December 2025, threat actors leveraged this vulnerability to deploy webshells on ArrayOS AG VPN appliances.

Advisories recommend upgrading to ArrayOS AG version 9.4.5.9 or later to mitigate the vulnerability. The flaw is listed in the CISA Known Exploited Vulnerabilities Catalog, mandating patching by federal agencies. Additional guidance appears in JPCERT advisory AT-2025-0024 and an Array Networks support announcement.

This vulnerability has seen active in-the-wild exploitation, as documented by multiple sources including BleepingComputer reports on webshell deployments.

Details

CWE(s): CWE-78
KEV Date Added: 08 December 2025

Affected Products

arraynetworks

arrayos ag

≤ 9.4.5.9

CVEs Like This One

CVE-2024-50603Shared CWE-78both on KEV

CVE-2025-48703Shared CWE-78both on KEV

CVE-2026-1731Shared CWE-78both on KEV

CVE-2026-25108Shared CWE-78both on KEV

CVE-2025-11953Shared CWE-78both on KEV

CVE-2025-1316Shared CWE-78both on KEV

CVE-2025-58034Shared CWE-78both on KEV

CVE-2024-40890Shared CWE-78both on KEV

CVE-2025-9377Shared CWE-78both on KEV

CVE-2025-54948Shared CWE-78both on KEV

References

https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-arrayos-ag-vpn-flaw-to-plant-webshells/
Press/Media Coverage · cve@mitre.org
https://www.jpcert.or.jp/at/2025/at250024.html
Third Party Advisory · cve@mitre.org
https://x.com/ArraySupport/status/1921373397533032590
Third Party Advisory · cve@mitre.org
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-66644
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0