External risk intelligence

ArrayOS Command Injection Vulnerability

CVE advisoryKnown Exploit

CVE-2025-66644

Array Networks ArrayOS AG, used in secure access gateways, has a command injection vulnerability. This flaw allows attackers to execute arbitrary commands, potentially leading to unauthorized access and data compromise. Organizations using affected versions face significant business risk due to the potential for system

5Halo Surface Signal

OS Command Injection

Arraynetworks Arrayos Ag

before 9.4.5.9

External exposure likelihood

Halo Surface Signal score for CVE-2025-66644

ArrayOS AG is the operating system for Array Networks' SSL VPN and application gateway appliances. These devices are designed to act as internet-facing gateways and remote access points, making them inherently public-facing by design in normal deployment scenarios.

Horizon Alert

Summary of the vulnerability and why it matters

Array Networks ArrayOS AG, a component used in Array Networks' SSL VPN and application gateway appliances, contains a vulnerability that allows for command injection. This flaw enables unauthorized execution of commands on affected systems. The potential business impact includes significant disruption, compromise of sensitive data, and potential for further unauthorized access within the organization's network.

Vulnerable operating system
Allows command injection
Business disruption and data compromise

Attack Path

How an attacker could exploit the issue

The identified vulnerability allows attackers to inject and execute arbitrary commands on affected systems. This is possible when external attackers can access vulnerable systems over the network. Once access is gained, the attacker can exploit this vulnerability to gain control over the system.

External network exposure
Unauthenticated network access
Command injection results in system control

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows attackers to inject and execute commands on affected systems. This could lead to unauthorized access, data compromise, or disruption of services. Organizations with internet-facing ArrayOS AG devices are at risk.

Attackers with low skill level.
No access or conditions required.
High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization should address this command injection vulnerability by first identifying all instances of the affected software within its environment. Subsequently, it must take steps to limit potential exposure or isolate any identified systems to mitigate risk. Finally, the vendor's provided fix should be applied, and its successful implementation verified, followed by ongoing monitoring for any related security events.

Find exposed assets.
Reduce exposure or isolate risk.
Apply fix, verify, and monitor.

Frequently asked questions

What is the software context for CVE-2025-66644, and what are the affected Array Networks products?

CVE-2025-66644 affects Array Networks ArrayOS AG, specifically versions prior to 9.4.5.9. This operating system is a component used in various Array Networks appliances, including SSL VPN and application gateway devices like the AG1000, AG1000T, AG1000V5, AG1100, AG1100V5, AG1150, AG1200, AG1200V5, AG1500, AG1500FIPS, AG1500V5, AG1600, AG1600V5, and VXAG.

How is the ArrayOS AG command injection vulnerability (CVE-2025-66644) classified, and what is its weakness?

This vulnerability is classified as a CRITICAL severity issue with a base score of 9.8. It falls under the weakness category CWE-78, which represents OS command injection. This means attackers can inject and execute arbitrary commands on the affected systems.

What is the trigger path for the ArrayOS AG command injection vulnerability, and does it involve scope negation?

The vulnerability allows for command injection through network access. Attackers can exploit this when external access to vulnerable systems is possible, leading to unauthorized command execution. The provided information does not specify scope negation, but the CVSS vector indicates a success scenario with no privileges required and no user interaction.

What is the relevance of CVE-2025-66644, considering its exploitation and CISA's advisory?

CVE-2025-66644 is highly relevant as it has been actively exploited in the wild from August through December 2025. CISA has also listed it on the Known Exploited Vulnerabilities (KEV) catalog, indicating a significant and current threat that requires immediate attention.

What practical response steps should organizations take to address the ArrayOS AG command injection vulnerability?

Organizations should first identify all instances of the affected ArrayOS AG software. Next, they must take steps to limit potential exposure or isolate any identified systems. Finally, applying the vendor's provided fix, verifying its successful implementation, and establishing ongoing monitoring for related security events are crucial.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.