CVE-2025-66644 in ArrayOS AG
Summary
by MITRE • 12/05/2025
Array Networks ArrayOS AG before 9.4.5.9 allows command injection, as exploited in the wild in August through December 2025.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/09/2025
The vulnerability identified as CVE-2025-66644 represents a critical command injection flaw within Array Networks ArrayOS AG versions prior to 9.4.5.9. This vulnerability exposes the network infrastructure to potential exploitation through malicious command execution, making it a significant concern for organizations relying on Array Networks load balancers and application delivery controllers. The flaw was actively exploited in the wild between August and December 2025, indicating a real-world threat that required immediate attention from cybersecurity professionals and system administrators across various industries.
The technical implementation of this command injection vulnerability stems from inadequate input validation within the ArrayOS AG software architecture. Attackers can manipulate specific parameters within the application's interface or API endpoints to inject malicious commands that execute with the privileges of the affected service account. This weakness typically occurs when user-supplied data is directly incorporated into system commands without proper sanitization or encoding mechanisms. The vulnerability manifests in scenarios where the software fails to properly escape or validate input parameters that are subsequently used in shell commands or system-level operations, creating a pathway for arbitrary code execution.
The operational impact of CVE-2025-66644 extends beyond simple unauthorized access, as successful exploitation can result in complete system compromise, data exfiltration, and disruption of critical network services. Organizations utilizing affected Array Networks devices may face unauthorized access to sensitive network infrastructure, potential lateral movement within their network environments, and the ability to execute commands that could lead to persistent backdoors. The exploitation timeframe of August through December 2025 suggests that threat actors were actively targeting these systems, potentially using the vulnerability to establish footholds for more extensive attacks or to disrupt critical business operations.
Security professionals should prioritize immediate remediation efforts by upgrading to ArrayOS AG version 9.4.5.9 or later, which contains the necessary patches to address the command injection vulnerability. Additionally, network segmentation and access controls should be implemented to limit exposure of affected devices to untrusted networks, while monitoring systems should be enhanced to detect suspicious command execution patterns. The vulnerability aligns with CWE-77 and CWE-94 categories, representing both command injection and code injection weaknesses that are commonly exploited in enterprise environments. This issue maps to ATT&CK technique T1059.001 for command and scripting interpreter, highlighting the need for comprehensive defensive measures including input validation, privilege separation, and regular security assessments to prevent exploitation of similar vulnerabilities in network infrastructure devices.