Home

Description

Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.

PUBLISHED Reserved 2025-12-05 | Published 2025-12-05 | Updated 2025-12-09 | Assigner mitre




HIGH: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA Known Exploited Vulnerability

Date added 2025-12-08 | Due date 2025-12-29

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

Any version before 9.4.5.9
affected

References

www.cisa.gov/...erabilities-catalog?field_cve=CVE-2025-66644 government-resource

www.jpcert.or.jp/at/2025/at250024.html

x.com/ArraySupport/status/1921373397533032590

www.bleepingcomputer.com/...-ag-vpn-flaw-to-plant-webshells/

cve.org (CVE-2025-66644)

nvd.nist.gov (CVE-2025-66644)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.