Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66644

CVE-2025-66644: Array Networks ArrayOS AG RCE Vulnerability

CVE-2025-66644 is a command injection flaw in Array Networks ArrayOS AG that enables remote code execution. Actively exploited in the wild, this vulnerability affects versions before 9.4.5.9 and poses significant risks.

Published:

CVE-2025-66644 Overview

Array Networks ArrayOS AG before version 9.4.5.9 contains a command injection vulnerability that allows remote attackers to execute arbitrary commands on affected devices. This vulnerability has been actively exploited in the wild from August through December 2025, with threat actors leveraging it to deploy webshells on compromised VPN appliances.

Critical Impact

This vulnerability enables unauthenticated remote code execution on Array Networks VPN appliances, allowing attackers to gain complete control over network edge devices and potentially pivot into internal networks.

Affected Products

  • Array Networks ArrayOS AG (versions before 9.4.5.9)
  • Array Networks AG1000, AG1000T, AG1000V5
  • Array Networks AG1100, AG1100V5, AG1150
  • Array Networks AG1200, AG1200V5
  • Array Networks AG1500, AG1500FIPS, AG1500V5
  • Array Networks AG1600, AG1600V5
  • Array Networks vxAG (Virtual Appliance)

Discovery Timeline

  • December 5, 2025 - CVE-2025-66644 published to NVD
  • December 10, 2025 - Last updated in NVD database

Technical Details for CVE-2025-66644

Vulnerability Analysis

This command injection vulnerability (CWE-78: Improper Neutralization of Special Elements used in an OS Command) affects the ArrayOS AG operating system powering Array Networks' SSL VPN appliances. The vulnerability allows unauthenticated attackers to inject and execute arbitrary operating system commands remotely. Given that these devices serve as VPN gateways at network perimeters, successful exploitation provides attackers with a strategic foothold for further intrusion into protected networks.

The active exploitation campaign documented between August and December 2025 demonstrates that threat actors have been using this vulnerability to plant webshells on compromised devices, establishing persistent access for subsequent malicious activities.

Root Cause

The vulnerability stems from improper neutralization of special elements in user-supplied input before it is passed to operating system command execution functions. The affected code fails to properly sanitize or escape user input, allowing attackers to break out of the intended command context and inject their own commands. This is a classic command injection pattern where input validation is insufficient or absent.

Attack Vector

The vulnerability is exploitable over the network without requiring authentication or user interaction. Attackers can craft malicious HTTP requests containing command injection payloads targeting vulnerable ArrayOS AG endpoints. The injected commands execute with the privileges of the web application process, typically providing sufficient access to deploy persistence mechanisms such as webshells.

As documented by JPCERT, attackers in the wild have been leveraging this vulnerability to plant webshells on compromised devices, enabling persistent remote access. The Bleeping Computer security coverage provides additional details on the observed exploitation patterns.

Detection Methods for CVE-2025-66644

Indicators of Compromise

  • Presence of unexpected webshell files in web-accessible directories on ArrayOS AG appliances
  • Unusual outbound network connections from VPN appliances to unknown external IP addresses
  • Anomalous process spawning from web server processes, particularly shell invocations
  • Unexpected modifications to system configuration files or scheduled tasks

Detection Strategies

  • Monitor ArrayOS AG access logs for requests containing shell metacharacters such as semicolons, pipes, backticks, and command substitution syntax
  • Deploy network intrusion detection rules to identify command injection payloads in HTTP traffic destined for Array Networks appliances
  • Implement file integrity monitoring on ArrayOS AG devices to detect unauthorized file modifications or additions
  • Review authentication logs for anomalous access patterns following successful exploitation

Monitoring Recommendations

  • Enable verbose logging on ArrayOS AG appliances and forward logs to a centralized SIEM for correlation
  • Establish baseline network behavior for VPN appliances and alert on deviations indicating potential compromise
  • Monitor for DNS queries to known malicious infrastructure or unusual domain patterns from VPN appliances
  • Conduct periodic integrity checks of ArrayOS AG system files against known-good baselines

How to Mitigate CVE-2025-66644

Immediate Actions Required

  • Upgrade ArrayOS AG to version 9.4.5.9 or later immediately on all affected appliances
  • Review ArrayOS AG appliances for signs of compromise, including webshells and unauthorized configuration changes
  • Restrict network access to management interfaces using firewall rules or access control lists
  • Implement network segmentation to limit lateral movement potential if VPN appliances are compromised

Patch Information

Array Networks has released ArrayOS AG version 9.4.5.9 which addresses this command injection vulnerability. Organizations should prioritize patching given the confirmed active exploitation. The Array Support account has provided updates regarding the security fix.

This vulnerability has been added to the CISA Known Exploited Vulnerabilities Catalog, which mandates federal agencies to apply mitigations according to the specified timeline.

Workarounds

  • If immediate patching is not possible, place ArrayOS AG appliances behind a web application firewall (WAF) configured to block command injection patterns
  • Restrict access to the VPN appliance management interface to trusted IP addresses only
  • Implement strict egress filtering to prevent compromised appliances from establishing outbound connections to attacker infrastructure
  • Consider temporarily taking vulnerable appliances offline if they cannot be patched and alternative VPN solutions are available
bash
# Example: Restrict management access to trusted networks (conceptual)
# Consult Array Networks documentation for specific CLI syntax
access-list management-restrict permit ip 10.0.0.0/8 any
access-list management-restrict deny ip any any
interface management
  ip access-group management-restrict in

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.