Cyber Resilience

CVE-2025-66644

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 05 December 2025

Published
05 December 2025
Modified
10 December 2025
KEV Added
08 December 2025
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0235 85.2th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66644 is a high-severity OS Command Injection (CWE-78) vulnerability in Arraynetworks Arrayos Ag. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-66644 is a command injection vulnerability (CWE-78) affecting Array Networks ArrayOS AG versions prior to 9.4.5.9. This flaw allows attackers to execute arbitrary commands on the affected system. The vulnerability received a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability following network-based exploitation with low complexity but requiring high privileges.

Exploitation requires an attacker to have high-level privileges (PR:H) on the target system, such as an authenticated administrative user. Once exploited, attackers can achieve full system compromise, including high impacts across confidentiality, integrity, and availability. In real-world attacks observed from August through December 2025, threat actors leveraged this vulnerability to deploy webshells on ArrayOS AG VPN appliances.

Advisories recommend upgrading to ArrayOS AG version 9.4.5.9 or later to mitigate the vulnerability. The flaw is listed in the CISA Known Exploited Vulnerabilities Catalog, mandating patching by federal agencies. Additional guidance appears in JPCERT advisory AT-2025-0024 and an Array Networks support announcement.

This vulnerability has seen active in-the-wild exploitation, as documented by multiple sources including BleepingComputer reports on webshell deployments.

EU & UK References

Vulnerability details

Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.

CWE(s)
KEV Date Added
08 December 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Command injection in network-accessible VPN appliance enables exploitation of public-facing application (T1190) and facilitates webshell deployment as observed in real-world attacks (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1731Shared CWE-78both on KEV
CVE-2025-48703Shared CWE-78both on KEV
CVE-2024-50603Shared CWE-78both on KEV
CVE-2024-40890Shared CWE-78both on KEV
CVE-2025-58034Shared CWE-78both on KEV
CVE-2025-11953Shared CWE-78both on KEV
CVE-2025-9377Shared CWE-78both on KEV
CVE-2025-54948Shared CWE-78both on KEV
CVE-2026-25108Shared CWE-78both on KEV
CVE-2025-1316Shared CWE-78both on KEV

Affected Assets

arraynetworks
arrayos ag
≤ 9.4.5.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the command injection vulnerability by requiring timely application of vendor patches, such as upgrading to ArrayOS AG 9.4.5.9 or later.

prevent

Prevents command injection attacks by validating and sanitizing user inputs to block execution of arbitrary commands, directly addressing CWE-78.

prevent

Enforces least privilege to minimize accounts with the high privileges (PR:H) required for exploitation, reducing the attack surface on ArrayOS AG systems.

References